Share this: 

Switzerland Data Privacy Laws

Cloud Governance: Data Residency/Sovereignty

Privacy Legislation in Switzerland

Cloud Governance Data Residency and Sovereignty Switzerland Data Privacy LawsThe Swiss data protection law guarantees the protection of the private sphere for data processing carried out by persons in Switzerland. However, when data is transmitted abroad, an adequate level of its protection has to be provided for thereabouts.

If personal data is processed in cloud computing, in data protection terms this is normally considered to be data processing by a third party under Article 10a of the Data Protection Act (DPA). Under this Act, the processing of personal data may be assigned to third parties (in this case, cloud service providers) by agreement or by law as long as the data is processed as the instructing party (i.e., cloud user) would be permitted to process it, and it is not prohibited by any statutory or contractual duty of confidentiality.

Ensuring Security Standards

The instructing party must ensure that the third party guarantees data security. The cloud service provider must therefore be required to comply in full with the data protection laws applicable in Switzerland. This also applies to any subcontractors employed by the provider. However, in practice it is difficult to enforce this requirement, as in cloud computing applications the cloud service provider’s subcontracting relations are often not transparent to the cloud user.

Cloud Governance Data Residency and Sovereignty Switzerland Data Privacy LawsThe cloud user must also ensure that the cloud service provider as a third party protects data in accordance with data Article 7 DPA and Article 8 ff. and 20 ff. DPO. This means that personal data must be protected by appropriate technical and organizational means against unauthorized interference. The confidentiality, availability and the integrity of the data must be guaranteed. The cloud service provider must protect the data against the following risks: unauthorized or accidental destruction or accidental loss; technical faults; forgery, theft or unlawful use; unauthorized alteration, copying, access or other unauthorized processing. These measures should be checked periodically on site. The manner in which the data protection requirements are applied depends on the company or public body, on the type of data involved, and also on the organization and cloud layer (i.e. private or public, IaaS, PaaS or SaaS). Basically, the more confidential, secret, important (business-critical) or sensitive (particularly worth protecting) the data is, the less the use of cloud computing is recommended, in particular of a cloud abroad. Furthermore, security measures and the control of such should be all the more stringent and comprehensive.

Regulations on Data Going Abroad

In many cases, the use of cloud computing involves the disclosure of data abroad, as data is frequently processed on servers spread all over the world. Subcontractors are often involved, as are countries which have less stringent data protection laws than Switzerland. Therefore a risk exists that data will be processed in a way that is not permitted in Switzerland. Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered, and in particular if there are no safeguards guaranteeing adequate protection (Article 6 paragraph 1 DPA). If this is the case, personal data can only be disclosed abroad if one of the provisions under Article 6 paragraph 2 DPA applies. In the main, cloud users will have no choice but o obtain a contractual data protection guarantee from the cloud service provider, including any subcontractors involved. This poses practical prblems, as all users of the cloud where the personal data is processed must enter into the contract. However, it is essentially the party transferring personal data abroad who must prove that all requirements to ensure an appropriate level of protection have been met.

The cloud user is also responsible for guaranteeing the right to information under Article 8 DPA and the right to have data deleted or corrected under Article 5 DPA at all times for implementing them according to the data protection requirements. It may prove very difficult to meet these requirements, as the use of cloud applications often involves loss of control over data and the cloud user no longer knows which data is processed where. However, it is not possible to avoid these legal obligations.

Selecting a Cloud Service Provider

If a person wishes to use cloud computing to process their data, it is essential to choose the cloud service provider carefully (and carry out a risk assessment), and to instruct and monitor the provider accordingly. As the instructing party, cloud users are ultimately responsible towards the persons affected for respecting data protection laws, and can be held liable if these are infringed. Cloud users should therefore think carefully about which applications and data will remain at their own location and which are to be put into the cloud. A careful check of the cloud service provider must be made and a complete risk assessment of the organizational, legal and technical aspects carried out. A thorough analysis of the data protection requirements should also be conducted early on when choosing the type of cloud (private, public clouds specific to one enterprise or hybrid cloud). This will ensure that the cloud is used in compliance with data protection laws from the very beginning. Particular attention should be paid to the processing of personal data, including all steps from saving to processing and deletion. If after the risk assessment there is any doubt about the processing of data in the cloud, then outsourcing should be avoided.

Courtesy of the Office of The Federal Data Protection and Information Commissioner (FDPIC)

Satisfying Swiss Data Residency (Data Sovereignty) Requirements via a Cloud Data Protection Gateway

The Blue Coat Cloud Data Protection Gateway lets Switzerland enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications.  Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Switzerland’s National Privacy Legislation.

The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.

Cloud Governance Data Residency and Sovereignty Switzerland Data Privacy Laws