Data protection, security technology and building planning
What impact does the revised Swiss Data Protection Act (revDSG) have on digital security technology and building planning? This article shows what needs to be taken into account in terms of data protection law on the provider and customer side.
When the revDSG comes into force in 2022, even those companies that were not previously subject to the GDPR will have to take into account higher data protection requirements. Even companies that already comply with the GDPR must also implement the deviating requirements of the revDSG. This means that all Swiss companies with contact points to digital security technology and building planning are affected, whether on the supplier or customer side.
Extension of particularly sensitive personal data: The list of personal data requiring special protection will be expanded to include genetic data and biometric data such as fingerprints, retina scans or vein patterns. Consequently, qualified legal consequences will also apply here in the future, whether in the case of consent, the data protection impact assessment or the disclosure of data to third parties. In particular, biometric data, which is very important for security solutions, will in future always be included by definition among the personal data requiring special protection and not, as before, at best indirectly (indications of ethnic origin or state of health).
High-risk profiling and profiling: Profiling is any type of automated processing of personal data in order to evaluate certain personal aspects of a natural person. High-risk profiling is when personal data is processed automatically and a combination of data allows the assessment of significant aspects of the personality. In the case of high-risk profiling, any required consent must be explicit. From a security perspective, any automated monitoring of individuals, whether by cameras, entry control systems or otherwise, must at least be considered profiling, and depending on the design, even high-risk profiling.
Order Processor: A contract processing relationship - for example, in the context of outsourcing such as data storage in the cloud or building monitoring - can be established by contract, among other things. The processor must process the data in the same way as the controller. In doing so, the responsible party must ensure that the order processor is able to guarantee data security. The transfer to a subcontractor requires the prior approval of the responsible party. With corresponding services, the security provider becomes the order processor of the customer and is required to implement the corresponding legal, technical and organizational measures.
Data protection through technology and data protection-friendly default settings: The controller must design data processing from the planning stage onwards in such a way that the data protection regulations and, in particular, the processing principles are complied with (privacy by design). Furthermore, the default settings must be made in such a way that the processing of personal data is limited to the minimum necessary for the intended purpose, unless the data subject specifies otherwise (Privacy by Default). Thus, security technology and building planning must take into account the requirements of Privacy by Design and by Default from the planning stage through to daily use.
Data protection requirements on the application of digital security systems?
In summary, it is clear that all the important innovations of the revDSG have an impact on modern security technology. The implementation of such solutions has direct data protection implications for providers and customers, which is why the necessary need for action must be determined. For the planning, realization and use of multifunctional, networked security systems, providers must therefore already deal in depth with the new data protection requirements in order to be able to advise customers adequately and find the best possible implementation solutions. This is also the case if GDPR measures have already been implemented, as certain differences must be taken into account and mapped in the revDSG. Based on the identified need for action, the required implementation measures can be determined, prioritized and implemented on a project-specific basis.
You can read the full technical report in the printed issue of SicherheitsForum 1-2021.
You want to read the articles of this issue? Then close right now here a subscription.
