1. What is the EU GDPR?

It is the new data protection law of the EU. Its main purpose is to regulate and more strictly manage the use of so-called "personal data" (PII).

DSGVO stands for Datenschutz-Grundverordnung (General Data Protection Regulation).

This GDPR is a compilation of “digital rights” for EU citizens. The new regulation comes into effect on May 25, 2018.

The GDPR also affects companies and associations in Switzerland, and the substantial fines can also be applied to Swiss companies and associations.

In English, this is called: General Data Protection Regulation, or GDPR.

Please note that this information is for informational purposes only and does not constitute legal advice in any way. All liability is disclaimed. Please feel free to contact us with any questions.

2. Are Swiss Companies and Associations Affected by the GDPR?

The GDPR affects not only European companies, but also Swiss companies and associations, or any person who deals with personal data that could potentially originate from the EU. For example, if they send newsletters to EU citizens.

"If a sole proprietor targets individuals in the EU with their website and offers them freebies such as newsletters or whitepapers, then the GDPR is applicable in this regard." Attorney Martin Steiger on Watson

The GDPR therefore applies to everyone who deals with data from EU citizens. This likely includes you too. 

A Swiss equivalent to the GDPR, a new federal law on data protection, is currently being developed. As an online marketing agency, we will keep you informed about these updates.

3. What is "Personal Data"?

Personal data, also known as “Personally Identifiable Information - PII,” refers to any information related to an individual, whether it pertains to their private, public, or professional life.

Specifically, personal data includes:

• Names,

• Home addresses,

• Photos,

• Email addresses,

• Bank details,

• Social media posts,

• Medical data,

• IP addresses,

• and everything in between :)

The GDPR requires companies to ensure that individuals have control over their personal data.

Users must now be able to not only access their stored data but also to modify, delete, or easily export it (for example, transferring Spotify playlists to Deezer and vice versa).

4. How long can personal data be stored?

Personal data may only be stored for as long as it is necessary for the specific purposes for which it was collected [Art.5(1)(e)].

Always remember the original purpose for which you collected the data and adhere to any time limits for its storage.

EXAMPLE
When an individual applies for a job, providing their resume and other personal details, and you, as an SME, had advertised a specific position, you should delete their personal data as soon as possible after rejecting their application. This is because storing it further is no longer necessary.

As an employment agency, you might be permitted to store resumes for a longer period than a typical SME, as you can use these documents for various job positions. Nevertheless, even for agencies, it's generally not justifiable to retain personnel records for several years, as resumes tend to become outdated over time.

5. Swiss GDPR Checklist

1. You must provide an option for opt-out cookies on your website or explain how to implement this.

2. You may only use cookies (excluding those essential for a user to navigate the site) after the user has given their consent.

3. You need an accurate and correct Privacy Policy on your website. Here are some Privacy Policy generators that might help you:

   1. Privacy Policy Generator Swiss Lawyer (Switzerland)

   2. Privacy Policy Generator Datenschutzpartner (Switzerland)

   3. Privacy Policy Generator Weiss & Partner (EU)

   4. Privacy Policy Generator Dr. Schwenke (EU)

4. You should implement IP address anonymization for Google Analytics. Google info on IP anonymization

5. Do not transmit personal data (e.g., via contact forms) to Google Analytics (GA) or other analytics tools and website trackers. This would violate GDPR and could also lead to the deletion of your Google Analytics account (as it goes against Google's policies). Instructions on how to check if personal data is stored in GA and what can be done about it.

6. Limit contact forms to only the personal data that is truly necessary for the service provided.

7. On the contact form, refer to your privacy policy. In our opinion, a checkbox is not strictly necessary, but it would certainly not be disadvantageous from a GDPR perspective.

8. Personal data must be stored and transmitted encrypted and securely.

9. Document who has access to which data.

10. SSL websites are a must.

11. You need the active consent of users to send them newsletters (passive consent is no longer sufficient).

12. You must be able to demonstrate when and where someone consented to a newsletter.

13. Appoint a Data Protection Officer (DPO) (mandatory only for organizations handling larger data volumes, but also recommended for smaller companies).

14. Document your data processing procedure.

15. Always use the TLS (or SSL) encryption protocol when sending and receiving emails.

Questions or input? Write in the comments below.

6. GDPR Assessment and Avoidance of Fines

To assess liability for violations and fines, take an inventory of all personal data you have collected and review it using the following 6 questions:

1. For what purpose do you hold this data?

2. How did you obtain the data?

3. What was the original purpose of collecting it?

4. How long do you intend to keep this data?

5. Are they secure, both in terms of encryption and accessibility?

6. Do you share the data with third parties, and if so, for what purpose?

Remember that companies are not obligated to prove their compliance, but the GDPR has the right to conduct audits and inspections.

7. Why the GDPR is Necessary

The GDPR is good news for all internet users.

Users are increasingly concerned about how their personal data is used – and rightly so.

In an era of continuous reports about uncontrolled data breaches, this new directive addresses user concerns and grants them rights and responsibilities regarding data processing. This is a much-needed improvement, especially following the recent Facebook data scandal.

The GDPR aims to provide internet users with greater protection and security and simplify online browsing. This is also good news for website operators, as it can help build trust.

8. Key Rights and Obligations of the New Data Protection Law 2018

1. Right of Access

The right of access belongs to the data subject. This grants EU citizens the right to access their stored personal data and information regarding its processing.

2. Right to Erasure

The right to erasure means that the data subject has the right to request the deletion of their personal data for one of several reasons, including non-compliance with Article 6.1 (Lawfulness).

3. Right to Data Portability (Art. 20 GDPR)

Everyone has the right to transfer their personal data from one electronic processing system to another without hindrance from the data controllers. An exception applies to data that is sufficiently anonymized. GDPR Art. 20 https://dsgvo-gesetz.de/art-20-dsgvo/

4. Obligation: Data Protection by Design – Strict Privacy Settings at Every Step (Art. 25 GDPR)

Privacy settings on every part of a website, whether through forms, analytics, or wherever user data is managed or stored, must be set to a high level by default. This means the user does not need to take additional steps to ensure their data remains private by default.

The data controller implements technical and procedural measures to ensure that the entire data processing lifecycle complies with the regulation. Encryption can remove personal data from the scope of the GDPR. This means that if data is fully encrypted, it is no longer identifiable and thus no longer falls under the GDPR's purview.

Encryption and decryption processes must be performed locally to ensure that both the keys and the data remain under the data owner's control, thereby preserving privacy.

Some encryption techniques may not be sufficient to remove personal data from the scope of the GDPR. Controllers should carefully review the encrypted data and assess whether it is at risk of being decrypted, taking into account possible future technologies.

5. Duty to keep records of activities

This means that records of data processing activities must be kept, which very precisely describe the purpose of processing, the categories involved, and the expected time limits.

6. Reporting requirement for breaches within 72 hours

The GDPR introduces a new requirement: data controllers must report any personal data breach to their country's supervisory authority within 72 hours of becoming aware of it, unless the data has been anonymized or encrypted. Breaches that pose a risk to an individual (such as identity theft, confidentiality breaches, etc.) must also be reported directly to the affected individuals.

9. Who is your Data Protection Officer?

The GDPR mandates the appointment of a DPO (Data Protection Officer) for any company or organization that stores or processes large amounts of personal data, whether for employees, individuals outside the organization, or both.

Data processing is overseen by a controller whose primary activities involve data processing. The DPO requires a regular and systematic overview of the data involved. The DPO is an expert who should be familiar with data protection regulations and practices, and can support and monitor controllers to ensure their compliance with the GDPR.

The Data Protection Officer must be able to demonstrate "consent" (opt-in) and ensure that consent can be withdrawn. The identity and contact details of the data controller in your company must be provided.

While not mandatory for every organization, a Data Protection Officer is recommended for most companies.

10. GDPR: Amount of potential fines

Fines have been increased. There are two levels of fines, depending on the offense.

The maximum penalty for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your worldwide annual turnover (based on the figures from the previous financial year), whichever amount is higher.

11. Current ECJ Ruling September 2019

The ECJ has addressed 4 very important questions:

• Website operators are, alongside Facebook, always jointly responsible for data protection breaches.

• The unsolicited transfer of user data via the Facebook Like button on websites violates data protection law.

• Competition associations can issue costly warnings to websites that have integrated Facebook's Like button without a consent option.

• For cookies used for tracking or advertising purposes, genuine consent from website visitors is required. A cookie notice banner is not sufficient.

12. Conclusion

The GDPR is good news for individuals and the public. It is another step towards strengthening internet security and, above all, promoting fairness and respect in the use of personal data.

For you, as a Swiss company or association, it is important that you are aware of your obligations and comply with them. You can consult a lawyer to be on the safe side, and you can also print out and carefully review the GDPR Switzerland Checklist above beforehand.

Questions and Feedback?

Please write your questions in the comments, and we will be happy to answer them.

*By submitting the form, you agree that onlineKarma stores and processes the personal data provided above to deliver the requested content to you: Privacy Policy.