On 25 May 2018, there were far-reaching changes in the online sector, not only in Switzerland but throughout Europe. The reason was the basic data protection regulation, better known as GPDR. Since the introduction of the EU data protection regulation, a lot has happened. While there was a lot of trouble and uproar in the beginning, the dust has settled a bit, so that today, after a good two years of GPDR, we can check what has really happened. However, it is important to note that the GPDR has not been directly applied to Switzerland. All Swiss companies are subject to Swiss data protection law. However, some provisions of the GPDR may also affect Swiss companies directly or indirectly. For this reason, the Basic Data Protection Ordinance is still an important issue for all companies, but also for many private individuals with an Internet presence. – We now wish you a lot of fun while reading!
When are companies affected by the GPDR at all?
Basically, there are only three scenarios in which companies fall under the GPDR regulations. Since the basic data protection regulation is about regulations for data processing, this is also the main focus.
Firstly, all companies with a branch in the European Union are affected. These are all Swiss companies that also have one or more locations in the EU outside Switzerland. In comparison with the following two factors, this probably still applies to at least those companies.
This is because the next affected companies are those that offer goods or services in the EU. It is important to note that this also applies to online shops. So if you run an online shop with customers from the EU, such as Germany or Austria, you must comply with the GPDR.
The third and last factor concerns observing the behaviour of your customers in the EU. This is mainly aimed at observing the surfing behaviour for advertisements and personalised offers. So if you use plugins or other software tools to observe customer behaviour, you also fall under the GPDR.
The GPDR covers all companies with an EU branch as well as offers and behavioural observations within the European Union.
What are the necessary steps to comply with the GPDR?
If you fall under the GPDR, you must fulfil six duties. The first one is the information and consent obligation, which you must obtain from the persons whose data you are processing. Then you must guarantee the persons “Privacy by Design” and “Privacy by Default”. This is followed by the appointment of a representative or agent in the European Union and the drawing up of a list of processing activities. In addition, you must report any data protection violations to the supervisory authority and carry out a data protection impact assessment.
If you are not yet sure whether you already fulfil all these obligations, it is important to check this as soon as possible. After all, a violation of the data protection regulations in the course of the GPDR can result in considerable economic damage. For example, the amount of a penalty for just one violation can already amount to up to four percent of annual turnover. However, this is not only a question of turnover in Switzerland or the EU, but also of international annual turnover. It is therefore worth checking twice.