The GDPR will enter into force on May 25, 2018 and will be directly applicable to all actors working in the territory of the European Union (EU), i.e., all businesses that offer goods or provide services to natural persons in the EU (for example, through e-commerce websites or other online sale platforms) or businesses which analyze the behavior of such natural persons. The regulation is broad in extent and also regards non-European companies that process the data of European citizens (art. 3), including Swiss companies. The GDPR should not be taken lightly: indeed, infringements are subject to penalties of up to €20 million, or 4% of worldwide annual turnover.
Greater rights for citizens
This new regulation affords greater rights to European citizens: first and foremost, they must be specifically, transparently and fully informed using clear and plain language about how their data will be processed, in particular in the case of information intended for children (arts. 11-14). They are also entitled to obtain confirmation of whether their personal data are being processed and obtain access to such data, as well as any additional information (right of access, art. 15). In addition, they can request that their data be rectified or completed (art. 16) or even erased (“right to be forgotten”, art. 17). In specific cases, they may restrict the processing of their personal data (art. 18), in which case the data may be stored but will no longer be used in additional processing. Furthermore, all data rectifications, erasures or processing restrictions must be reported to each recipient to whom the personal data have been disclosed (art. 19). Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit such data to other operators (right to data portability, art. 20). At any time, they may object to the processing of their data, including for direct marketing purposes (art. 21), and they are entitled not to be subject to automated decision-making processes (art. 22), including profiling. Lastly, but not least, they have the right to be informed of any breaches of their personal data (art. 34).
The proactive role of companies
For their part, aside from the increased transparency and information obligations laid out above and having to obtain express consent to data gathering and processing (arts. 6-8), companies working with the data of European citizens, and which are the controllers or processing managers of such data, now have a more proactive role to play and more weighty obligations, not only to ensure formal compliance with the rules, but also to adopt technical and organizational measures that guarantee data protection (including pseudonymization and minimization) starting with design (privacy by design, art. 25), and to use only the personal data necessary for each specific processing purpose (privacy by default, art. 25). Without prejudice to exceptions (i.e. businesses with fewer than 250 employees, but only if they do not perform processing that may present a risk for the data subjects), companies must also keep a record of processing activities (the content of which is listed in art. 30). The technical and organizational data protection measures must be appropriate (art. 32) and intended to guarantee that any gaps in security are discovered immediately and that any breaches are reported within 72 hours to the competent supervisory authorities (in Switzerland: Federal Data Protection and Information Commissioner) and to the data subject (data breach, arts. 33-34). If the data processing may presumably present a high risk, companies must first conduct a risk assessment (data protection impact assessment, art. 35). In the case of regular, systematic and large-scale monitoring activities or in the case of large-scale processing of sensitive data (arts. 37-39), companies must have a Data Protection Officer (DPO), choosing whether to train staff internally or make use of external agencies. Data controllers or data processing managers that are not established in the EU but are in any event subject to the GDPR must appoint a representative in the EU (art. 27). Failure to appoint this representative shall entail a fine of up to €10 million (art. 27 and art. 83, par. 4).
And how will Switzerland adapt?
The Swiss Confederation is also keeping pace with the new European GDPR. Indeed, the Federal Act on Data Protection (FADP) is currently being revised to bring it into line with EU law. However, the National Council Political Institutions Committee wants the revision to take place in steps. The necessary adjustments to European law will first need to be made and subsequently it will be possible to proceed with a full revision of the act on data protection. On the Swiss front, we will therefore need to wait for the outcome of the political process, which will still require a good deal of time.
Disclaimer: this article is exclusively for informational purposes and cannot in any case be considered a legal opinion or professional advice. We shall bear no liability for any damages caused by errors or omissions.
