Code of practice for the responsible handling of data by the Swiss business sector

In the age of digitalisation, the way in which we handle data is becoming increasingly important. Data are now commonly regarded as a raw material of the digital world. Careful, sustainable handling of data, especially personal data, and the trust this builds are becoming a critical success factor for the economy and society. It is necessary to find a balanced relationship between overall social objectives and the interests of companies and consumers. 

This document was prepared by an interdisciplinary workgroup comprised of members of economiesuisse representing a cross-section of business and industry: the Data Code of Practice Workgroup. It embodies a commitment on the part of the Swiss business sector to the responsible handling of data throughout the entire data life cycle. 

Our aim is to create transparency and build trust by establishing ten fundamental principles with accompanying explanatory statements regarding the five stages in the life cycle of data, from their initial input through to their deletion, founded on the applicable legislation.

We want interested companies to use this document as the basis for implementing their own concepts for handling data within their own sphere of responsibility.

We hope readers will find it interesting and informative, and we wish companies every success in the implementation of their own concepts. 

The following organisations, which by the nature of their business activities are closely involved with the issue of responsible handling of data, have expressly declared their support of the Data Code of Practice:

Other organisations are invited to submit a declaration of support. They will be included in the electronic version of the code immediately and in the next edition of the printed version. All supporting organisations will be incorporated into the further development of the code. 

To achieve the declared objectives, the Swiss business sector undertakes to adhere to the following ten basic principles of responsible handling of personal data: 

1. Good faith 
We undertake to act in good faith in our handling of personal data. The term “good faith” refers to the behaviour of persons and companies whose actions are honest, fair and considerate.

2. Transparency and visibility 
We undertake to procure personal data in a way that is clearly visible to the persons it concerns and to disclose the purpose of the processing of the data in question. The aim of this commitment is to provide transparency with respect to the handling of data and to underscore the principle of good faith. If data are handled in a transparent and visible manner, in the interest of facilitating an economical and user-friendly data flow we will no longer seek the consent of the person concerned, insofar as this is permissible under law. 

3. Legality 
We undertake to only handle personal data lawfully, i.e. in compliance with the applicable legislation. 

4. Proportionality 
We undertake to handle personal data according to the principle of proportionality. This means we only collect and process data to the extent to which it is necessary and appropriate for a given purpose. We always balance the purpose behind the processing of personal data with the risk of an incursion in the rights of the individual concerned. 

5. Data quality
We undertake to ensure that personal data are complete, up to date and correct for the purpose and processing in question. 

6. Intended purpose and limitation of use 
We undertake to only handle personal data for the purpose that is specified at the time of their procurement, that is evident from the circumstances, that is reasonably reconcilable with the original purpose or that is required by law. 

7. Data security
By implementing appropriate technological, contractual and organisational protective measures we undertake to secure personal data against risks such as loss and unauthorised access, destruction, use, modification and disclosure by unauthorised persons or entities. 

8. Self-determination with regard to personal information 
When processing data we undertake to protect the privacy of the person concerned. Upon request we will confirm the existence of the data of the person concerned and will provide that person with the data he/she has supplied along with the details available on their origin and the purpose of their processing. If the person has the right to delete or modify the data, we will comply with his/her request. 

9. Prohibition of discrimination 
We undertake to ensure that no one may be disadvantaged through unlawful discrimination as a result of our handling of data. Unlawful discrimination is deemed to occur if comparable personal data are processed in an unequal manner without objective substantiation.

10. Responsibility 
We accept responsibility for our compliance with these fundamental principles.

As the party responsible for good governance we define clear rules governing roles, processes and the use of technologies. The key components of good corporate governance are transparency, the principle of responsibility and data ethics. With a risk-based approach we undertake to protect the personal rights and freedoms of the person concerned so as to foster trust with respect to data handling. For this purpose we identify the risks associated with the processing of the data and balance the protection of the personal integrity of the person concerned against the general or specific benefits of processing the data. We subject our data governance to an ethical review process.

The creation and collection of data by companies in practice relies on several sources:

Actively supplied personal data are data made available by the person concerned as the result of enquiries, orders or registration for newsletters.

Observed personal data are collected automatically without any action on the part of the person concerned. Here, potential sources include payment systems, sensors such as cameras, location and mobility data and cookies on websites. 

Personal data generated by means of data analysis are generated by algorithms or artificial intelligence systems from other available data. Examples here include the identification of a person's preferences for particular goods or services, or the calculation of client profitability based on the number of visits to a store and the quantity of items purchased.

• When collecting personal data we undertake to restrict ourselves to the data that are necessary for the specified purpose. We collect the data in a transparent and visible manner.

  This means we do not collect personal data solely because they might be useful in the future.
   

• We assess the risk to the rights and freedoms of the person concerned prior to data creation and collection.
   
• In cases in which data are created and collected without the knowledge of the person concerned, in accordance with the principle of good corporate data governance we undertake to ensure an appropriate degree of transparency vis-à-vis the person concerned when processing the data. We also take due account of any conflicting interests.

Data retention commences with the arrival of the data within the sphere of responsibility of the company concerned and terminates when the data are no longer held by the company or have been deleted or destroyed.

Data may be stored on a company’s internal systems (for example, servers, online or offline storage) or in storage systems of third parties (for example, in a cloud).

• We do not retain personal data any longer than necessary. If the original purpose for collecting the personal data is no longer applicable and no legal basis exists for their continued storage, we will delete or destroy the data or take measures that have the same effect for the person concerned.
   
• With respect to the requirements relating to data security we orient ourselves on the risk associated with the processing of certain data for the person concerned.
   
• We take the technological, organisational and contractual measures that are necessary and appropriate to adequately protect the retained personal data against the risk in question.
  
  For the purpose of establishing a data security system within the company, we orient ourselves on the existing security standards. The more sensitive the data, the higher the requirements we place on our security system (in particular with respect to precautionary measures, protection mechanisms and system access)
   
• We grant access rights based on the principle of “need to know”. The personnel entrusted with the processing of personal data only have access to data that are necessary for their specific tasks.

We only use data for a specified purpose. We use profiling, which speeds up work processes and can have positive effects for the person concerned, subject to the principle of proportionality; where appropriate, we apply anonymisation and pseudo-anonymisation to protect the person’s identity. 

• We only process personal data for a specified purpose, i.e. for the person concerned our processing has to be reconcilable with a specific, recognisable purpose.
   

• Profiling can speed up work processes and also have positive benefits for the person concerned, and it is now an essential part of daily business. We use profiling proportionately and, where necessary, carry out a risk assessment regarding the data utilised and the consequences for the person concerned.
   

• We apply anonymisation and pseudo-anonymisation methods in order to protect the identity of the person concerned.

  When pseudo-anonymisation is used, assigning the data to a given person may only be possible by the party who holds the appropriate decoder. Pseudo-anonymised data only qualify as personal data for the holder of the decoder.

  When anonymisation is applied, the possibility of re-identifying a given person based on the data is ruled out on the basis of the latest technology in a manner that is appropriate and feasible for those responsible. Because the ability to identify given individuals is ruled out, anonymised data no longer qualify as personalised data and are therefore not subject to the provisions of data protection legislation.
   

• We endeavour to render data use as comprehensible as possible for the person concerned. To this end we choose a suitable, simplified form of communication, for example pictograms. We ensure that the use of pictograms complies with any applicable standards.

In an economy that is becoming ever more digitalised and where division of labour and cross-border organisation to reduce costs and increase efficiency are on the rise, data traffic is an everyday form of data processing.

Data traffic encompasses every form of transmission, including the transfer of, and provision of, access to data between individuals and companies, irrespective of the legal basis. 

• We specifically inform the person concerned about data transmission that is not readily recognisable. Thus the person concerned is able to assume personal responsibility with respect to the handling of his/her own data.
   

• We are in favour of a cross-border, standardised data space that assures an appropriate level of data protection and does not impose any unnecessary obstacles. This also applies within companies, in the framework of outsourcing solutions and in distribution chains.
   

• We take all necessary measures based on the latest technology to protect data against unauthorised access.
  
  In regions where there is already adequate data protection there is no need for additional protective measures.
  
  Elsewhere we take additional technological and/or contractual measures as necessary, as well as measures relating to personnel and organisation.
   

• Within the scope of the applicable legal provisions, upon request we will provide the person concerned with information about data we have received from, or collected on, him or her.
   

• We are committed to a purposeful form of data portability, which we implement with the aid of standard, primarily electronic formats.

  This concerns data that the person in question has placed at our disposal

• We ensure that our exchange of data with third parties complies with the fundamental principles set down here.

The deletion or destruction of data refers to the irrevocable destruction, obliteration or irreversible removal of personal data.

If the irrevocable deletion of data is not possible, we will take measures that have the same effect. 

Upon completion of data deletion or destruction, the data in question will no longer be recognisable or will no longer exist. 

• Data processing must be organised such that it is possible to delete or destroy personal data in accordance with the applicable legal provisions.
   

• Data must be deleted or destroyed as soon as the original purpose has been fulfilled or the retention periods have expired or if the person concerned has requested their deletion or destruction within the scope of the applicable legislation.
   

• Anonymisation represents an alternative to deletion or destruction.
   

• We ensure that the requirements and criteria for the deletion or destruction of data are met, including for datasets that are processed by third parties.
   

• We will organise our processes such that deletion or destruction processes can be carried out on the basis of the latest technology and a plan exists for their deletion or destruction (data governance). 

We would like to thank the intersectoral Working Group and their experts for the good cooperation.