Implementation of EU GDPR at Datatrans
After a two-year transitional period, the EU General Data Protection Regulation (GDPR) finally enters into force on 25 May 2018.
The overarching goal of the EU GDPR is to harmonise and simplify existing legislation for protecting personal data within the EU.
Due to its extraterritorial nature, the GDPR also affects Swiss companies. Because every person in the EU is entitled to this particular level of protection, the EU GDPR also applies to merchants, online shops and service providers in Switzerland who sell products and services to customers in the EU. The new data protection legislation must also be observed if a company operates a branch or subsidiary in the EU. It is also likely that Swiss legislators will follow suit. The first revisions to the Federal Act on Data Protection (FADP) have already been drafted and are in many respects very similar to the EU GDPR.
Swiss companies will therefore be able to align themselves with the GDPR, even if the EU GDPR does not yet apply to them. In short, there will be no way for Swiss companies to get around the new directive in the future. Non-compliance with the new data protection legislation comes with the threat of fines as high as EUR 20 million or 4% of a company’s total global turnover.
One main concern of the GDPR is to strengthen the rights of users by granting them easier access to their data. They have the right at all times to know what data is being collected about them and who is processing their data and for what purpose. Users’ ‘right to be forgotten’ is also being solidified. This means that it will be easier for individuals to delete information that has been published about them in the future.
The new directive not only covers particularly sensitive personal data, such as medical data, personal profiles and sensitive payment details, but also any type of personal data, regardless of the nature of its confidentiality. Collecting an e-mail address belonging to a resident of the EU for the purpose of sending a newsletter is subject to the same strict requirements of the EU GDPR.
Datatrans is making every possible effort to ensure full compliance with EU GDPR requirements in due time and to guarantee the highest level of protection when processing personal data. High protection standards are already in place for credit card data thanks to the implementation of the security measures from the PCI DSS standard. Now, the task is to expand the existing data protection and security concepts to other personal data – specifically where this makes sense.
In the course of implementing the EU GDPR, various measures were taken at Datatrans in consultation with an external legal adviser. These include:
- Drafting a sample contract for order processing
- Revising the data protection policy
- Documenting processes for dealing with the rights of data subjects
- Designating an internal data protection officer
- Applying greater scrutiny to our order data processors with respect to the processing of personal data
- Internal staff training
All of this is far from a finished matter. Rather, these measures are subject to ongoing monitoring and revision.
The implementation of the EU GDPR and the protection of personal data are therefore also imperative for online merchants conducting business internationally and service providers in Switzerland.
Our data protection officer Patrick Horisberger will be happy to answer any questions regarding the implementation of the EU GDPR: [email protected]