Music and the law: News on data protection

Question from an SMPV member: Many SMPV members have their own homepages. Visitors leave their IP addresses when they visit them, perhaps their name and e-mail address, if they contact the musicians via the contact form, if Google Analytics is installed, for example, personal data is processed, if someone orders a CD via the homepage, for example, he or she even leaves their home address. The following questions therefore arise:

• How much effort does a simple musicians' website have to put into complying with the new data protection law?
• Is it enough to create a customized privacy policy once and place it clearly visible on the homepage in the footer, or does it have to be continuously updated, e.g. if a plug-in is installed?
• What additional obligations do owners of a simple (musician's) website have when dealing with personal data in the broadest sense?

Answer Dr. Kovacs:

1. From September 1, 2023, the completely revised Data Protection Act (DPA) will come into force in Switzerland. Musicians will also have to deal with the new requirements. In particular, fines of up to CHF 250,000 can be imposed if the requirements are not met. This article provides guidelines on this, but this does not mean that a detailed risk assessment is no longer necessary.
2. The effort required to comply with data protection regulations is limited for musicians. In particular, as an SME, they no longer have to comply with complex obligations that only apply to larger companies. The new requirements must be implemented once in advance. Afterwards, the relevant information only needs to be integrated in the event of changes to the law or changes to your own business activities or the design of your website.
3. The following key questions must be clarified in advance in your own company and clearly communicated to potential users of your website as part of a detailed privacy policy.3.1 What personal data is collected and how is it processed? Precise information about the operating systems and programs used, e.g. as follows:
   • Cookies and image elements
   • Newsletters and marketing emails
   • Google Analytics
   • Google reCaptcha
   • Plug-ins
   • Profiling / automated decision-making

   This information must be updated when new programs and systems are used. Information must also be provided on whether and how these can be switched off or bypassed.

   3.2 What is the purpose of the data processing? The data may only be collected and processed for the specified purpose. E.g. the following information:

   • Information and advertising on offers, services, websites and other platforms on which you are present;
   • Communication with third parties and processing their inquiries (e.g. inquiries from interested parties)
   • Examination and optimization of procedures for needs analysis for the purpose of direct customer contact and collection of personal data from publicly accessible sources for the purpose of customer acquisition;
   • Implementation of "online meetings".
   • Registration to receive the newsletter with information about the right of withdrawal at any time

3.3 From whom do you receive personal data?

3.4 To whom do you disclose personal data? Specify the recipients or categories of recipients to whom personal data will be disclosed.
be announced.

3.5 How long will the personal data be stored? Ensure that the personal data is deleted or anonymized,
as soon as they are no longer required for the original purpose of collection. Tracking in particular
of data on websites must be checked and, if necessary, removed.

3.6 How is the data technically protected? Prompt notification must be made to the Federal Data Protection Commissioner.
(FDPIC) in the event of a data security breach. The FDPIC has issued guidelines on technical security, which are available at
whose website is online.

3.7 How are data subjects informed about the collection and processing of data? Exact identity and address
online and offline of the person responsible for data collection and processing and information about the right to information,
Right of rectification and erasure of the data subject. The obligation to provide information also applies to data obtained from third parties.

3.8 How do you have control over contracted third parties? Written contracts with external data processors must be checked and signed.
be adjusted if necessary.

3.9 Is data obtained from abroad or transferred there? Does the GDPR apply to the EU area or other
Legal systems for other countries observed?

4.  The bottom line is that you must inform the potential readers and users of your websites about all these issues and always keep this information up to date. The corresponding data protection declarations must be drafted individually, as the respective information can vary greatly. The SMPV's legal advice center can offer support at any time.