About GDPR & P-LPD Regulation
Since May 25th, 2018, and after lots of issues related to mass data-mining by big companies without their consent, a new regulation called General Data Protection Regulation (RGPD). It was agreed and approved in 2016 and has been applied since 2018 European Commission.
If you are an entity that processes data of a personal nature, you are probably affected too. Due to this, you have obligations with which you must comply. The same applies to companies which, in view of its situation, has distinct obligations as a Sub-Contractor with EU countries.
Any website that uses web-tracking, cookies, online forms, analytical tools (internal or external) to to follow the activities of its visitors or to observe their browsing behaviour can draw conclusions about the interests, preferences or habits of Internet users. The RGPD will no doubt be applicable.
Personal data is information about a natural person, identified directly or indirectly. It can be a name, a photograph, an IP address, a phone number, a computer connection identifier, a postal address, a fingerprint, a voice recording, a social security number, an e-mail and even a Google Captcha.
The recognition of a right to be forgotten
The GDPR also includes recognition of a right to be forgotten, to obtain the withdrawal or deletion of personal data in the event of a breach of privacy, the right to data portability, to be able to move from one social network to another.
Companies must also inform users quickly in the event of internal or external data leakage (hacking or due to a server-side or application vulnerability).
Who has distinct obligations to inform ?
- Processing of personal data by a Swiss company as a subcontractor on behalf of a European company.
- Processing of Union residents’ personal data by a Swiss-based company to the extent that it processes such data for its offers of goods and services in the Union, regardless of whether payment is required or not.
- Customer profiling in the EU (particularly collected data to do business and sell to third parties).
11 principles keys on data protection
- Consent or Acceptance Policy (Especially for E-commerce)
- Who is processing the data
- What legal basis allows you to collect user data
- What are the purposes of collecting personal data
- What types of personal data you collect
- How long you’re going to store the data
- Whether you transfer the data internationally
- Whether you use the data in automated decision-making
- What third parties you share the data with
- What are the data subjects’ rights
- How you’ll inform users that your policy has changed
The 6 principles goals on data protection
The 6 principles goals on data protection
- Define the purpose and respect the rights of people.
Before collecting and using personal data, it is compulsory to announce to the users data it is used in order to obtain their consent. These people have the right to access, correct, oppose or delete their data.
- Check the relevance of the data.
Only the strictly necessary data for achieving the objective can be collected. You should not collect more data than you really need. He must also pay attention to the sensitive nature of certain data, to make sure that they are accurate and current.
- Limit data retention.
Once the goal of data collection is achieved, there is no longer a need to keep them and they need to be removed.
- Secure the data.
The data regulator must take all necessary measures to ensure the security of the data he has collected but also their confidentiality, ie to ensure that only authorised persons access it.
- Outsourced data.
In case of subcontracting, the organization remains responsible for the data transmitted. It must ensure that the subcontractor complies with the same rules on data protection.
- Process data outside the EU.
When a company is not physically present in the EU but collects personal data relating to EU nationals – for example through a website – the same rules on data protection are applicable.
The 6 key principles on data protection
In practice, how to do it?
- Online communication (www);
- Raise awareness, inform and train;
- Do not store or transfer personal data that is freely accessible on the Internet;
- Be vigilant about databases for marketing purposes.
If you do not have a DPO (Data Protection Officer) in your company, ARTELABS helps you to implement your GDPR according to the types of data you collect for your activity.
- CNIL: General Data Protection Regulation. (PDF)
- Fédération des Entreprises Romandes: Excellent Training to understand the RGPD. (FR)
- Swiss Confederation: Federal Data Protection Act. (FR, DE, IT)
- Infomaniak Network SA: Protection of your personal data. (FR, EN, DE, IT, ES)
- ThinkData: Data Protection and Transparency Awareness Service. (FR, EN, DE, IT)
- ICO The UK’s independent authority: Guide to the GDPR. (PDF)