The revised Data Protection Act now contains a legal definition of profiling that corresponds to the EU GDPR and was not included in the previous FADP. According to this definition, profiling is “any form of automated processing of personal data which consists of using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location”.
In the preliminary draft, the Federal Council had originally proposed that profiling should in future always be permitted only with a justification, such as the consent of the data subjects. Certain statements in Parliament implied a similar understanding, although this Federal Council proposal did not find its way into the law. Thus, profiling would have to be permissible without consent also in the future. This also applies to so-called “high-risk profiling”, even though the debates in Parliament have led to some uncertainty and the issue is still likely to lead to discussions in the literature and case law. In our assessment, however, it can be assumed that Parliament did not want to deviate from the established basic concept of Swiss data protection law with regard to profiling (with high risk) either.
For private controllers, consent or other justification for profiling (with high risk) will thus only be required in the case of data processing that violates personal privacy. However, depending on the type and scope of profiling, this may be the case relatively quickly and thus consent or another justification ground may be required. Since there is often great uncertainty with regard to the justification of the overriding interest, it will not be uncommon to recommend obtaining consent in the future. If “high-risk profiling” must be assumed, then only explicit consent will suffice as a (possibly required) justification.
High-risk profiling was one of the main points of contention that almost caused the FADP revision to fail. The existence of high-risk profiling, in addition to the express nature of consent, is also relevant for the justification ground of creditworthiness checks (see below). The revised FADP defines high-risk profiling as follows:
“Profiling that entails a high risk to the personality or fundamental rights of the data subject by leading to a combination of data that allows an assessment of essential aspects of the personality of a natural person”.