1. What is the EU GDPR?

It is the EU's new data protection law. Its main purpose is to regulate the use of so-called " personal data" and to handle it more strictly.

GDPR stands forGeneral Data Protection Regulation.

This GDPR is a compilation of "digital rights"for EU citizens. The new regulation will come into force on May 25, 2018.

The GDPR also affects companies and associations in Switzerland and the substantial financial penalties can be imposed on Swiss companies and associations.

In English, this is called the General Data Protection Regulation, or GDPR.

Please note that the information is for informational purposes only and does not constitute legal advice in any way. No liability is accepted. We are happy to answer any questions you may have.

2. Are Swiss companies and associations affected by the GDPR?

The GDPR (General Data Protection Regulation) affects not only European companies, but also Swiss companies and associations, as well as anyone who deals with personal data that could potentially originate from the EU. This includes, for example, sending newsletters to EU citizens.

"If a sole trader targets people in the EU with their website and offers them freebies such as newsletters or white papers, for example, then the GDPR applies in this regard." Attorney Martin Steiger on Watson

The GDPR therefore applies to anyone who handles data belonging to EU citizens. This probably includes you too. 

A Swiss counterpart to the GDPR, a new federal law on data protection, is currently being drafted. As an online marketing agency, we will keep you up to date on any new developments.

3. What is "personal data"?

Personal data, or "personally identifiable information" (PII) , can be any information relating to individuals, regardless of whether it relates to their private, public, or business lives.

Personal data is specifically:

• names,

• Private addresses,

• Photos,

• Email addresses,

• Bank details,

• Social media posts,

• medical data,

• IP addresses

• and everything in between :)

The GDPR requires companies to ensure that individuals have control over their personal data.

Users must now be given the option not only to access stored data, but also to change, delete, or simply export it (e.g., transfer Spotify playlists to Deezer and vice versa).

4. How long may personal data be stored?

You may only store personal data for as long as it is necessary for the purposes for which you store the data [Art. 5(1)(e)].

Always try to keep in mind why you received the data and be aware of the time limit.

EXAMPLE
A person applies with their resume and other personal data. If you, as an SME , have advertised a specific position, you should delete the personal data as soon as possible after rejecting the applicant, as it is no longer necessary to store it .

As an employment agency , you are probably allowed to store resumes for longer than a "normal" SME, as you can use the documents for multiple positions . However, even here it is hardly justified to store personnel files for several years, as resumes become outdated after a while anyway.

5. GDPR Checklist Switzerland

1. You must offer the option to opt out of cookies on the website or explain how this can be implemented.

2. You may only use cookies ( except those that are essential for the user to use the site) after the user has given their consent.

3. You need an accurate/correct privacy policy on your website. Here you will find privacy policy generators that may be able to help you:

   1. Data protection generator Swiss lawyer (Switzerland)

   2. Privacy Policy Generator Privacy Policy Partner (Switzerland)

   3. Weiss & Partner Data Protection Generator (EU)

   4. Data Protection Generator Dr. Schwenke (EU)

4. You should use IP address anonymization for Google Analytics . Google information on IP anonymization

5. Do not transmit any personal data (e.g., via contact forms) to Google Analytics (GA) or other analysis tools and website trackers. This would be contrary to the GDPR and could also lead to the deletion of your account with Google Analytics (as it is also against Google's guidelines). Instructions on how to check whether personal data is stored in GA and what can be done about it.

6. Limit contact forms to only those personal data that are truly necessary for the service.

7. Refer to your privacy policy on the contact form. In our opinion, a checkbox is not necessary, but it would of course not be detrimental from a GDPR perspective.

8. Personal data must be encrypted and stored and transmitted securely .

9. Keep track of who has access to which data.

10. SSL websites are a must.

11. You need the active consent of users to send them newsletters (passive consent is no longer sufficient).

12. You must be able to show when and where someone agreed to receive a newsletter.

13. Appoint a data protection officer (DPO) (mandatory only for organizations that work with large volumes of data, but also recommended for smaller companies).

14. Record your data processing procedure .

15. When sending and receiving emails, always use the TLS (or SSL) encryption protocol.

Questions or input? Write them in the comments below.

6. GDPR Assessment and avoidance of fines

To assess liability for violations and fines, take stock of all personal data you have collected and review it using the following six questions:

1. For what purpose do you keep this data?

2. How did you get the data?

3. What was the original purpose of the procurement?

4. How long do you want to keep this data?

5. Are they secure in terms of both encryption and accessibility ?

6. Do you share the data with third parties, and if so, for what purpose?

Keep in mind that companies are not required to prove their compliance, but the GDPR has the right to conduct audits and inspections.

7. That is why the GDPR is necessary

The GDPR is good news for all internet users.

Users are increasingly concerned about how their personal data is being used—and rightly so.

At a time when there are repeated reports of uncontrolled data breaches, this new directive addresses users' concerns and gives them rights and obligations regarding data processing. This is a much-needed improvement, not only in light of the recent Facebook data scandal.

The GDPR is intended to offer Internet users greater protection and security and simplify surfing the Internet, which is also good news for website operators, as it can strengthen trust.

8. Key rights and obligations under the new Data Protection Act 2018

1. Right of access

The right of access is a right of the data subject. This gives EU citizens the right to access stored personal data and access information about the processing of personal data.

2. Right to erasure

The right to erasure means that the data subject has the right to request the erasure of their personal data on one of several grounds, including non-compliance with Article 6.1 (lawfulness).

3. Right to data portability (Art. 20 GDPR)

Everyone has the right to transfer their personal data from one electronic processing system to another without being hindered by the controllers. Data that is sufficiently anonymized is exempt from this. GDPR Art. 20 https://dsgvo-gesetz.de/art-20-dsgvo/

4. Obligation: Data protection through technology design - Strict data protection settings at every step (Art. 25 GDPR)

Privacy settings on every part of a website, whether through forms, analytics, or anywhere user data is managed or stored, must be set to a high level by default. This means that users do not have to take any additional steps to ensure that their data remains private by default.

The controller shall implement technical and procedural measures to ensure that the entire processing lifecycle complies with the Regulation. Encryption can remove personal data from the scope of the GDPR. This means that if data is fully encrypted, it is no longer identifiable and therefore no longer falls within the scope of the GDPR.

Encryption and decryption processes must be performed locally to ensure that both the keys and the data remain under the control of the data owner, thereby preserving privacy.

Some encryption techniques may not be sufficient to remove personal data from the scope of the GDPR. Controllers should carefully review the encrypted data and assess whether the data is at risk of being decrypted, taking into account possible future technologies.

5. Obligation to keep records of activities

This means that records must be kept of data processing activities , describing in detail the purpose of the processing, the categories of data concerned, and the expected time limits.

6. Obligation to report violations within 72 hours

The GDPR stipulates a new requirement: controllers must report any personal data breaches to their country's supervisory authority within 72 hours of becoming aware of them, unless the data has been anonymized or encrypted. Breaches that are dangerous to individuals (identity theft, breach of confidentiality, etc.) must also be reported directly to the individuals concerned.

9. Who is your data protection officer?

The GDPR requires the mandatory appointment of a DPO (Data Protection Officer) for every company or organization that stores or processes large amounts of personal data, whether for employees, individuals outside the organization, or both.

Data processing is managed by a data protection officer whose main activities involve processing data. The DPO requires a regular and systematic overview of the data concerned. The DPO is an expert who should be familiar with data protection regulations and practices and who can support and monitor data controllers to ensure that they comply with the GDPR.

The data protection officer must be able to prove "consent" (opt-in) and ensure that consent can be revoked. The identity and contact details of the data controller in your company must be provided.

Although not mandatory for every organization, a data protection officer is recommended in most companies.

10. GDPR: Amount of possible fines

The fines have been increased. There are two levels of fines depending on the offense.

The maximum penalty for non-compliance with the GDPR is €20,000,000 or up to 4% of your global annual turnover (based on the figures for the previous financial year), whichever is higher.

11. Recent ECJ ruling September 2019

The ECJ has ruled on four very important questions:

• Website operators are always jointly responsible with Facebook for data protection violations.

• The unsolicited transfer of user data via the Facebook Like button on websites violates data protection law.

• Competition associations can issue costly warnings towebsites that have integrated Facebook's Like button without the option to consent.

• Cookies that are set for tracking or advertising purposes require genuine consent from website visitors. A cookie notice banner is not sufficient.

12. Conclusion

The GDPR is good news for individuals and the public. It is another step toward strengthening the security of the internet and, above all, promoting fairness and respect in the use of personal data.

As a Swiss company or association, it is important that youare aware ofyour obligations and comply with them. You can consult a lawyer to be on the safe side, and you can check the above GDPR Switzerland checklist in advance and go through it carefully.

Questions and feedback?

Write your questions in the comments and we will be happy to answer them.

By submitting this form, you agree that onlineKarma may store and process the personal data provided above in order to provide you with the requested content:Privacy Policy.