Collecting Personal Data
Disclosing Personal Data

Collecting Personal Data

Collection is one form of processing of personal data. Therefore, all processing requirements apply to the collection of personal data.

Data collection must be lawful

According to the FADP, the collection of personal data must be lawful, i.e. in accordance with other applicable laws (as long as they also protect personality rights). The collection of personal data is unlawful in particular if it is collected by unlawful means, such as the illegal recording of conversations, unlawful trespassing or secret monitoring of persons.

Issues to consider when collecting data

Some issues to consider when collecting personal data include:

  • Informing data subjects appropriately about the data processing. Typically, this information obligation is fulfilled by providing a data privacy notice;
  • Such duty of information also applies when data is not collected from data subjects. In this case, the controller additionally informs the data subjects of the categories of personal data that is processed. This information has to be given to the data subjects at the latest one month after reception of the personal data by the controller. If the controller discloses the personal data prior to this date, it must inform the data subjects at the time of disclosure at the latest;
  • Providing data subjects with all information which is required in order for data subjects to assert their rights according to the FADP and to ensure transparent processing of data, such as in particular (i) the controller’s identity and contact information; (ii) the purpose of the processing and (iii) if applicable, the recipients or categories of recipients to whom personal data is disclosed;
  • If personal data is disclosed abroad, the controller also provides data subjects with information on the name of the state or international body and, if applicable, the safeguards for ensuring appropriate protection abroad;
  • Obtaining any consents required for the data processing (however, consent is not always required);
  • Subject to certain exceptions, controllers are required to keep records of all data processing activities which must, inter alia, include information on the identity of the controller, the purpose of the processing, as well as a description of the categories of data subjects and the categories of the processed personal data.