About GDPR (2018) & P-LPD Regulation (2019)
Since May 25th, 2018, and after lots of issues related to mass data-mining by big companies, a new regulation called General Data Protection Regulation (RGPD) was concerned by the nature of collecting personal data from customers / users or subcontractors in Europe (EU), but also in Switzerland.
If you are an entity that processes data of a personal nature, you are probably affected too. Due to this, you have obligations with which you must comply. The same applies to companies which, in view of its situation, has distinct obligations as a Sub-Contractor with EU countries.
Any website that uses web-tracking to follow the activities of its visitors or to observe their browsing behaviour can draw conclusions about the interests, preferences or habits of Internet users. The RGPD will no doubt be applicable.
Who has distinct obligations to inform ?
- Processing of personal data by a Swiss company as a subcontractor on behalf of a European company.
- Processing of Union residents’ personal data by a Swiss-based company to the extent that it processes such data for its offers of goods and services in the Union, regardless of whether payment is required or not.
- Customer profiling in the EU (particularly collected data to do business and sell to third parties).
The 10 principles keys on data protection
- Who is processing the data
- What legal basis allows you to collect user data
- What are the purposes of collecting personal data
- What types of personal data you collect
- How long you’re going to store the data
- Whether you transfer the data internationally
- Whether you use the data in automated decision-making
- What third parties you share the data with
- What are the data subjects’ rights
- How you’ll inform users that your policy has changed
The 6 principles goals on data protection
- Define the purpose and respect the rights of people.
Before collecting and using personal data, it is compulsory to announce to the users data it is used in order to obtain their consent. These people have the right to access, correct, oppose or delete their data.
- Check the relevance of the data.
Only the strictly necessary data for achieving the objective can be collected. You should not collect more data than you really need. He must also pay attention to the sensitive nature of certain data, to make sure that they are accurate and current.
- Limit data retention.
Once the goal of data collection is achieved, there is no longer a need to keep them and they need to be removed.
- Secure the data.
The data regulator must take all necessary measures to ensure the security of the data he has collected but also their confidentiality, ie to ensure that only authorised persons access it.
- Outsourced data.
In case of subcontracting, the organization remains responsible for the data transmitted. It must ensure that the subcontractor complies with the same rules on data protection.
- Process data outside the EU.
When a company is not physically present in the EU but collects personal data relating to EU nationals – for example through a website – the same rules on data protection are applicable.
In practice, how to do it?
- Online communication (www);
- Raise awareness, inform and train;
- Do not store or transfer personal data that is freely accessible on the Internet;
- Be vigilant about databases for marketing purposes.
If you do not have a DPO (Data Protection Officer) in your company, ARTELABS helps you to implement your GDPR according to the types of data you collect for your activity.