MIL-OSI Translation: Xplain: the three procedures conclude with the adoption of all recommendations

Recommended Sponsor - Buy Original Artwork Directly from the Artist

MIL OSI Translation. Region: Italy –

Source: Switzerland – Federal Chancellery

Federal Data Protection and Transparency CommissionerBerne, 04.06.2024 – At the end of May 2024, the Federal Office of Police (fedpol), the Federal Customs and Border Security Service (FCAB), and the company Xplain fully adopted the recommendations made by the FDPIC following the ransomware attack suffered by Xplain. In the second half of 2023, the FDPIC had opened three investigations. On May 1, 2024, it published the corresponding final reports with several data protection recommendations (see release dated 01.05.2024), which fedpol, the UDSC and Xplain have now adopted. The Federal Administration and its private service providers are expected to review their cooperation based on the results of the three surveys. The FDPIC reserves the right to conduct the relevant reviews throughout the Federal Administration.As part of the use and development of its digital applications, the Federal Administration collaborates with private companies that are entrusted with the processing of personal data. The review of the ransomware attack suffered by Xplain from a legal oversight perspective clearly highlights the extent of the risks and possible harm that result from this type of data transmission. The adoption of the recommendations binds the Federal Administration and all of its private service providers to analyze these high risks and reduce them to an acceptable level in a timely manner by taking appropriate measures.According to the findings of the three investigations, this requires compliance with the following basic principles of federal data protection legislation:

As “data controllers” within the meaning of data protection law, federal agencies that cooperate with private companies (“data controllers,” e.g., in the context of providing support services) are required to assess whether it is necessary for personal data to leave the federal administration’s protected ICT infrastructure or for private providers to access that infrastructure. They must also check whether it is possible to anonymize personal data before it is transmitted and assess what further technical or organizational measures need to be taken to prevent possible data protection breaches.After analyzing relevant data protection risks and defining appropriate measures to mitigate them, federal agencies and private providers must document their implementation processes (e.g., data flows, anonymization, and access arrangements) in a comprehensive and understandable manner. Federal agencies are also required to define the necessary technical and organizational measures in their contracts with private providers, stipulating conventional penalties if necessary.In the context of personal data processing, private providers responsible for processing must comply with contractual obligations and conditions regarding the extent, intensity and duration of processing. Plans for timely deletion of data, awareness and training of employees, and periodic internal or external reviews are considered suitable measures for this purpose.

The FDPIC reserves the right to conduct audits throughout the Federal Administration and at its private service providers.

Address to address questionsFederal Data Protection and Information Commissioner (FDPIC), Tel. +41 58 462 99 31,

Published byFederal Data Protection and Transparency Office

Social shares

EDITOR’S NOTE: This article is a translation. Apologies should the grammar and/or sentence structure not be perfect.

MIL Translation OSI