Data protection in Europe: the new obligations of companies

/by

The EU data protection regulation also applies to Swiss-based SMEs. As of 25 May 2018, they hence must comply with seven legal requirements to avoid having fines imposed upon them.

Does your company use personal data of natural persons located in the EU? Does this data processing occur in connection with an offer of goods or services or with the aim to track the behavior of natural persons in the EU area? If this is the case, you are very likely to be affected by the new General Data Protection Regulation (GDPR) of the EU. Many Swiss SMEs are currently putting effort into bringing their activities, and in particular their websites, in line with the GDPR, which will enter into force on 25 May 2018.

In order to determine whether a company falls within the scope of the GDPR, it is important to know whether the natural persons whose data are being processed are located in the EU and whether the company intends to reach people in the EU. Information to help SMEs find out if they are within the scope of this law can be found here.
According to Monique Cossali Sauvain, head of the Legislative Projects and Methodology Unit at the Federal Department of Justice, the size of the company and the type of data processed are not relevant to the application of the GDPR. “In practice, this rule is unlikely to apply to small shops like a bakery or a hairdressing salon: these shops do not offer goods or services to people in the EU, nor do they track their behavior. It may, however, apply to a small developer of a dating app, if it offers services to residents of the EU. ”

Companies that fall within the scope of the GDPR must fulfill seven central obligations.

  1. Inform and obtain the consent of the data subject
    If the legitimacy of data processing is based on the consent of the data subject, it must be given voluntarily and based on detailed, discernible and specific information. Consent must be given actively and explicitly. On the other hand, it does not require a specific form and can also be given orally. What is important is that the company can prove the consent. And it must always be possible to revoke it.
  2. Ensure “privacy by design” and “privacy by default”
    Already when planning data processing, the company must take technical and organizational measures to ensure compliance with the GDPR and to protect the data of the data subjects (privacy by design). In addition, it must ensure trough presets that by default only data is collected that is required for the respective purpose (privacy by default).
  3. Appoint a representative in the EU
    The obligation to appoint a representative in the EU is eliminated if data processing is done on an occasional basis, does not involve specific categories of data and entails almost no risk.
  4. Prepare a list of processing activities
    The company or its middlemen must provide an overview with information on the methods of data processing.
  5. Report any data breaches to the regulatory authority
    The company must provide rapid mechanisms to notify the data subjects and the relevant regulatory authorities in the event of a breach of data protection.
  6. Perform a data protection impact assessment
    A type of data processing that carries a high risk of violating rights and freedoms must be subject to an impact assessment.
  7. Pay penalties for violations of the GDPR
    The fine that businesses have to pay in the event of a data protection breach can amount to up to 4% of the worldwide annual revenue in the past fiscal year.

Good news for all companies that are now adapting to the EU Regulation: the revisions of internal procedures, directives, contracts and declarations of secrecy that they will have made in the end should also be in line with future Swiss requirements in this area. In January 2018, the National Council’s Political Institutions Committee called for a revision of data protection law in two stages. Companies that adapt to the GDPR will therefore be prepared for this revision. Given the context of an increasing digitization of businesses and their activities in the processing of personal data, such a reform is important for the protection of the rights of individuals.

For further details, please contact International HR Services Ltd.