General Data Protection Regulations (GDPR)

About GDPR (2018) & P-LPD Regulation (2019)

Since May 25th, 2018, and after lots of issues related to mass data-mining by big companies, a new regulation called General Regulations on the Protection of Data (RGPD) was concerned by the nature of collecting personal data from customers / users or subcontractors in Europe (EU), but also in Switzerland.

If you are an entity that processes data of a personal nature, you are probably affected too. Due to this, you have obligations with which you must comply. The same applies to companies which, in view of its situation, has distinct obligations as a sub-contractor with EU countries.

Any website that uses web-tracking to track the activities of its visitors or to observe their browsing behaviour can draw conclusions about the interests, preferences or habits of Internet users. The RGPD will no doubt be applicable.

EU General Data Protection Regulations (GDPR)

Who has distinct obligations to inform ? 

  • Processing of personal data by a Swiss company as a subcontractor on behalf of a European company.
  • Processing of Union residents’ personal data by a Swiss-based company to the extent that it processes such data for its offers of goods and services in the Union, regardless of whether payment is required or not.
  • Customer profiling in the EU (particularly collected data to do business and sell to third parties).
The 6 key principles on data protection

  • Define the purpose and respect the rights of people.
    Before collecting and using personal data, it is obligatory to announce to the persons concerned what they will use and to obtain their consent. These people have the right to access, correct, oppose or delete their data.
  • Check the relevance of the data.
    Only the data strictly necessary for achieving the objective can be collected. The regulator should not collect more data than he really needs. He must also pay attention to the sensitive nature of certain data, to make sure that they are accurate and current.
  • Limit data retention.
    Once the goal of data collection is achieved, there is no longer a need to keep them and they need to be removed.
  • Secure the data.
    The data regulator must take all necessary measures to ensure the security of the data he has collected but also their confidentiality, ie to ensure that only authorised persons access it.
  • Outsourced data.
    In case of subcontracting, the organization remains responsible for the data transmitted. It must ensure that the subcontractor complies with the same rules on data protection.
  • Process data outside the EU.
    When a company is not physically present in the EU but collects personal data relating to EU nationals – for example through a website – the same rules on data protection are applicable.

In practice, how to do it?

  • Online communication (www);
  • Raise awareness, inform and train;
  • Do not store or transfer personal data that is freely accessible on the Internet;
  • Be vigilant about databases for marketing purposes.

If you do not have a DPO (Data Protection Officer) in your company, ARTELABS helps you to implement your GDPR according to the types of data you collect for your activity.

This task will include 3 areas of analysis and knowledge:
  1. Juridical.
  2. Information Security (ISS, IT, ICT).
  3. Organisational.

ARTELABS CTO is familiar with these 3 fields (including the LPDData Protection Law), which was the subject of his Thesis during his SSI training at the University of Geneva, especially for customers who have an interactive website and collect “sensitive” data for their own activity.

A “Privacy Policy” clause and a “Data Protection Statement” on the processing of personal data through files, cookies, analysis tools, contact forms, statistical tools and eventual publications on social networks, is required.

Get in touch

We will help you  to implement your GDPR