EU GDPR: What the EU's new general data protection regulation is all about and what Swiss companies must pay attention to
The EU has long been committed to protecting the privacy of EU citizens. In times of Google, Facebook and countless online shops like Amazon or Zalando this is also necessary. From 25 May 2018, a new EU-wide data protection law will come into force: the so-called General Data Protection Regulation (GDPR). This is a worldwide milestone in the protection of privacy and will change the basic features of the conditions for the collection, use and transfer of personal data.
We're all on the web these days. Be it to listen to music on "Spotify", watch movies or series on "Netflix", research a topic using Google search, write with friends using WhatsApp, post the latest holiday photo on Facebook or Instagram or read this blog post. Our activities are permanently monitored by these companies, and our data is stored and analyzed.
But data is not only collected during online activities. Every time you shop at Migros with your Cumulus card, it registers what you have bought (although Migros is just one example of many). In addition to all the information collected from the web, this data also helps to get an exact picture of a person and then to place targeted advertising.
Because of this vast amount of data, security on the Internet is becoming increasingly important. Cyber criminals often have personally identifiable information (names, addresses, social security, tax identification, payment card information, etc.) in mind. This has already led to numerous crimes such as economic theft or identity crimes.
In recent years, the EU has now developed a new general data protection regulation. This defines the protection of the aforementioned amount of data of EU citizens. It is strictly regulated how personal data is to be handled. Personal data include names, addresses, telephone numbers, license plates, hobbies and many more.
Protecting the fundamental rights and privacy of Internet users in the 28 EU countries is the top priority of the GDPR. At the same time, American "data octopuses" such as Google, Facebook and Amazon are also set limits in the EU area.
Failure to comply with the GDPR will result in heavy fines. These can amount to up to 20 million euros or 4% of global sales (whichever is the higher).
No company will be able to apologize that it did not know anything about the new basic data protection regulation. The new GDPR has been known since May 2016. This left the companies at least two years of preparation time. In May 2018, the old Data Protection Act of 1995 will be replaced.
The German Data Protection Act was already one of the strictest in the world. However, the penalties imposed were far too lenient and therefore hardly deterred anyone. In addition, they were very rarely imposed as attempts were made to protect the economy.
In addition to the newly dissuasive fines, the standardization of data protection law for 500 million EU citizens can also be seen as an advantage of the new GDPR. As a result, there is no longer any legal uncertainty due to different laws in the different EU member states. EU citizens also have better control over their data.
But what does this EU regulation in Switzerland concern us? Is the GDPR even relevant for Swiss companies? Yes, it is. After all, any organization that comes into contact with EU citizens must take the GDPR into account. Companies that are outside the EU but still provide their services in EU countries are also subject to the GDPR – even those that do not have branches in the EU.
In Switzerland, the Federal Council published a revised version of the Swiss Data Protection Act (FADP) in September 2017. This is strongly based on European law, but does not go any further than necessary. This avoids pointless bureaucracy.
What is expected of companies?
Companies that work with personal data of EU citizens are obliged to develop an effective security and data protection concept. To this end, the risks associated with the processing of personal data must be taken into account. The measures and procedures must then be defined on the basis of the risk assessment. These should correspond to the current state of the art but at the same time also be proportionate (in terms of effort and yield). The effectiveness of this data protection procedure should be reviewed at regular intervals.
In addition, the maintenance of a procedural directory is expected. This list includes in particular the name and contact details of the data controller, purposes of data processing, categories of data subjects, categories of personal data and categories of recipients (who have access to the data).
When storing the data, the following must be taken into account:
- Personal data must be limited to what is necessary for processing.
- It is assumed that the stored data is correct. Otherwise they must be deleted.
- The identification of the person may only be made possible for as long as is necessary for the processing. Afterwards, the data must be deleted or the connection to the person concerned must be terminated.
- The protection of personal data must be guaranteed during processing.
In the event of a data breach, the company must immediately report the incident to the supervisory authority. This must be done within 72 hours of the injury becoming known. In addition, the natural person concerned must also be informed.
For EU citizens, the new GDPR is of course a positive improvement in data protection. However, the companies concerned need a lot of time, know-how and resources to comply with the GDPR. Since this article introduces only roughly into the topic, I have linked the complete GDPR. However, it often makes sense as a company to seek external help from a lawyer in coping with this complex task.