GDPR – General Data Protection Regulation

Data Protection Basic Regulation

The basic data protection regulation adopted by the European Parliament on 14 April 2016 harmonises the rules for the processing of personal data, the rights of data subjects and the obligations of data controllers throughout the EU.

The provisions of the GDPR as amended by the Data Protection Adaptation Act 2018 and the Data Protection Deregulation Act 2018 have been in force since 25 May 2018. All data processing operations must comply with this legal situation. Any company that processes personal data in any way (e.g. maintains a customer file, issues invoices, stores supplier data) is affected. This means that companies will be faced with significant innovations. Violations can be sanctioned with up to 4% of worldwide annual sales, which is reason enough to take the issue seriously.

Everyone doing business within the EU is obliged to comply with the GDPR. It therefore also applies to companies from non-EU states that are active in the EU and process data from EU citizens. In concrete terms: Swiss companies with the majority of their target group in Switzerland are also affected, as it is often difficult to trace what their customers really are from or via which other third-party providers the customer data has flowed and been made accessible. The same applies to your employees, suppliers or other cooperation partners with reference to the EU area.

What does it mean in concrete terms?

Ultimately, these adopted legal texts give EU citizens more rights, which obliges them to take measures regarding transparency, accessibility, traceability, use, processing and deletion of those data. If you wish, you must be able to provide information immediately on where you store your data, how you protect it and that you can delete the data irrevocably at the touch of a button. These information obligations also apply if no declaration of consent was originally required or if the data was obtained via an independent third party.

For your online presence, this means that the user must consent to the data processing process in written, electronic, oral or implied form, i.e. by tacit declaration of intent. It is not sufficient to present the user on the Internet with a declaration of consent for the processing of his data which is preset in such a way that the user himself must become active in order to object to this. Even if there is no objection, this does not constitute consent. The person responsible must be able to provide complete proof that the person concerned has consented to the processing of your personal data.

It is therefore worthwhile to document contacts completely and to enter them in a central place, keyword customer data and CRM. Contact rules should be coordinated centrally and opt-ins and opt-outs proactively requested. Of course, this is at the expense of some leads who are deterred by the special security measures or were not aware of the processing mechanisms of data collectors before, but you are then on the safe and untouchable side.

Violation of the GDPR

If there is a violation of the protection of personal data, this must be reported to the competent supervisory authority within 72 hours, unless the violation is unlikely to result in a risk to the rights and freedoms of natural persons see Article 33 GDPR. According to Article 34 GDPR, the person concerned must also be informed of the violation if there is likely to be a high risk for his personal rights and freedoms.

Need for action for you

• Appoint an internal data protection officer and calculate sufficient time and budget for implementation.
• Filter out which channels you use to collect data, what that data is, and how it is stored, secured, and processed.
• Check the onboarding process of your customer data with the clear consent of the customer according to GDPR.
• Examine all aspects of your duty to inform and whether you can cover them.
• Test the irrevocable deletion procedure for customer data.
• If possible, call in an expert for further protection and confirmation.