+41 (0)22 552 55 65 info@barraudconsulting.com

A few paragraphs to get a basic idea of the “new” GDPRand understand when and how to set it up.

You have also received dozens and dozens of communications about GDPR. You want to adapt, but don’t know where to start, because everyone says different things?

In this article, we tried to get the new legislation in order and investigated the most important points.

The General Data Protection Regulation (GDPR) was adopted in May 2016 and companies had two years to adapt. It provides for the effective protection of personal data, ensuring a minimum level ofdata protection at the international level. In addition, try to give a minimum order to the various national regulations, each country being free to adopt stricter rules.

Essayons d’analyser certains des principaux aspects qui distinguent le GDPR 

To understand how and if it is necessary to make changes toadapt to the RGPD,the first step is to find out what personal data you are dealing with and in what situation (in technical jargon, we are talking about the processing register).

In order to proceed with this step, which no one can do for you, it is first necessary to understand what is meant by personal data. The legal definition, quite simple, leaves room for many interpretations. It recognizes personal data as a

“informationthat identifies or makes him identifiable,directly or indirectly, a natural person and that can provide information about his characteristics, habits, lifestyle, personal relationships, status, health, economic situation, etc.”

To process third-party personal data, a justified reason is required. The main change made by theRGPD in this area is that this reason must be explained to the person concerned and that the person concerned must be aware that they have been collected or that theycan be collected.

Every citizen has a whole range of rights, including the right of access and the right to be forgotten. In the first case, the person concerned has the right to obtain confirmation from the processing manager that there is an ongoing processing of personal data concerning his person, in order to know: the purpose of processing this data, categories of personal data in question, recipients or categories of recipients to whom personal data will be shared, etc. In the second case, however, the person concerned has the right to obtain from the person in charge of the processing the removal of personal data concerning him without undue delay, which obliges the person in charge of the processing to delete the relevant data.

Personal data must be protected by appropriate security measures (technical and organizational in nature), subject to continuous adjustments. Data encryption is highly recommended.

With theRGPD, the principles of “confidentiality by design” and “confidentiality by default” have been formalized. In the first case, we are talking about the introduction of a personal data management system from the design of a service or productinvolving personal data collection. In the second case, the person in charge of the treatment must adopt appropriate technical and organisational measures to ensure that only the personal data necessary for each purpose of the treatment is processed. In essence, confidentiality should always be guaranteed by default.

The figure of the Data Protection Delegate (DPO) in Switzerland is not compulsory,as there are no minimum requirements to be a DPO, which is not recommended for companies with more than 40 to 50 employees or systematically and continues to sensitive data (for example, regarding health) of many people with OPDs with the necessary skills. Companies may decide to use their own data protection representative as an external consultant, who must be guaranteed time for their work.

The DPD must have the necessary independence: it is absolutely not recommended that the owner of a business or rather a systems analyst be simultaneously the DPD. In addition, the DPD must be able to conduct independent audits (independent assessments to obtain evidence) and be able to impose amendments.

RPGD legislation is an ongoing process that periodically requires a review of security rules and an ongoing analysis of access to data or the precise timing of access and the reasons for the use of the data.

Staff training plays a central role: anyone with access to personal data must take regular data processing courses, delivered by qualified staff. In addition, it will be appropriate to carry out (or have carried out) these trainings at least once a year.

In the event of a data breach, the GDPR provides for the new obligation to report this violation to the competent authority within 72 hours. As is often the case in law, this obligation is not absolute, but depends on individual cases. Sanctions may be draconian, but will depend on the objective situation: those who have trained their own staff, are equipped with a DPO and have been subject to regular audits within the company, will be treated very differently from those who have done nothing, it is repeat and hides the truth of authority.

Let’s end by analysing the situation in Switzerland to date. The adaptation of the Swiss standard was delayed because the rule, which provided for much stricter implementation than the minimum set by the GDPR,was rejected by the Federal Chambers. A new project is planned for 2019, but that does not mean that Swiss companies are not already required to comply with the GDPR!

In this regard, it is necessary to remember that a Swiss company must comply with the regulations if:

  • Elle a un bureau en Suisse, mais possède des succursales dans l’Union européenne
  • Elle a un bureau en Suisse, mais vend des produits et / ou des services aux citoyens européens.

the new regulation will also apply to Swiss companies which, in the event of a violation, can be punished up to 20 million euros with penalties corresponding to 4% of their annual global turnover

We are ready to help you. Get in touch with us!