Data protection update - 11/23

Contracts with service providers

The form for concluding a non-disclosure agreement with service providers should always be used if personal data is involved or disclosed, e.g. if the service provider requires personal data for the assignment of the order or for communication (e.g.: external bodywork, cleaning service, print shop, etc.).

Note:

If, on the other hand, the processing of personal data is carried out intensively and extensively by a contractor (outsourcing), e.g. DMS provider, IT service provider, marketing agency or external payroll office, this is so-called order processing in accordance with Art. 9 FADP, which Impunix concludes with the contractor. Without a corresponding contract, this may be punishable by law. Impunix is currently working on obtaining order processing contracts with DMS providers and IT service providers, among others.

You can conclude the non-disclosure agreement directly with your service providers by using the form linked below or by integrating it into a contract. Send a copy of the concluded agreement for documentation purposes to impunix (service@impunix.ch). If you are unsure, please contact your data protection advisor.

Request for information

In some garages, customers have already submitted requests for information or deletion. According to the Data Protection Act (DSG), any person can request information from the controller as to whether personal data concerning them is being processed. They can also request that the data be deleted or corrected if possible. This right of access enables the data subject to control the data concerning them. Based on the right of access, they can assert the rights to which they are entitled under the FADP. At the same time, the right of access guarantees the transparency of data processing. However, the data subject must take action in order to assert their right of access.

Important for you as a garage:

1. As a rule, the information must be provided within 30 days.
2. The first step is to identify the enquirer, either on site or online using a copy of their ID.
3. Discuss the next steps with your data protection consultant at impunix. Depending on the customer relationship, a clarifying discussion may be able to defuse the situation and reduce the amount of correspondence required.

Dealing with copies of ID cards

Do both sides of the driving licence have to be copied?

Due to the principle of data minimisation enshrined in the Swiss Data Protection Act, it is recommended that only the back of the ID document is copied, e.g. as part of a test drive. The information on the back is usually sufficient. This not only makes sense from a data protection point of view, but also saves time in the process.

How long and where may the copies be stored?

In accordance with the Ordinance on Motor Insurance (VVV), copies of ID cards must be stored securely and confidentially for a period of 24 months. This applies in any case to journeys with garage numbers, but can also be regarded as a general retention period for all copies of ID cards for reasons of process efficiency.

How should the copies of ID cards be disposed of?

Copies of ID cards must be destroyed professionally, physically by shredding or disposal in containers provided for this purpose, digitally by final deletion.

#6 Data protection in the car dealership - with Volker Dohr and Micha Strässler

The new Swiss Data Protection Act has been in force since 1 September 2023 and brings with it a number of changes, including fines of up to a quarter of a million Swiss francs and personal liability. Volker Dohr and Micha Strässler from impunix advise and support garage businesses in implementing the new law and provide an overview of the most important changes and the tasks they entail in this episode of "Podcar".