Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Pursuant to the General Data Protection Regulation, processing is lawful only if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purpose;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In addition, the Federal Data Protection Act contains more specific provisions with respect to employment relationships.

Personal data of employees may be processed for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy the rights and obligations of employees’ representation laid down by law or collective agreements or by other agreements between the employer and staff council. Employees’ personal data may be processed to detect crimes only if there is a documented reason to believe that the employee has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the employee’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.

If personal data of employees is processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given will be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. Consent will be given in written form, unless a different form is appropriate because of special circumstances. The employer will inform the employee in text form of the purpose of data processing and of the employee’s right to withdraw consent.

By derogation from Article 9(1) of the General Data Protection Regulation, the processing of special categories of personal data as referred to in Article 9(1) for employment-related purposes will be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the employee has an overriding legitimate interest in not processing the data. If special categories of personal data are processed based on consent, such consent must explicitly refer to these data.

The processing of personal data, including special categories of personal data of employees for employment-related purposes, is also permissible based on collective agreements (eg, collective bargaining agreements or works council agreements). However, the collective agreements may not fall short of the data protection standards established by the General Data Protection Regulation.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be deleted once its further storage is no longer permissible or, if it is processed for own purposes, as soon as it is no longer needed to carry out the purpose for which it was stored. Certain other statutes (eg, tax laws or trade laws) provide for retention obligations of six or 10 years in relation to business documents.

Do individuals have a right to access personal information about them that is held by an organisation?

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her is being processed and, where that is the case, to access the personal data and following information: 

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to its source;
  • the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Where personal data is transferred to a third country or an international organisation, the data subject will have the right to be informed of the appropriate safeguards relating to the transfer.

Further, the controller should provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.

Do individuals have a right to request deletion of their data?

Yes, under certain circumstances.

Consent obligations

Is consent required before processing personal data?

Not necessarily. Consent is one among various legal justifications for the collection, processing and use of personal data. In some cases where there is no statutory justification for the processing available, consent may be the only option.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, if processing is necessary for:

  • the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
  • compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What information must be provided to individuals when personal data is collected?

That depends on whether the personal data is collected directly from the data subject or from another source, but generally speaking at the time when personal data is obtained the data subject must be notified of:

  • the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party where the processing is based on such legitimate interests;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy or where they have been made available;
  • the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Click here to view the full article.