The General Data Protection Regulation (GDPR) is a legal framework that establishes rules for the collection and processing of personal data of individuals residing in the European Union. The framework was adopted in 2016 and fully enforced on May 25, 2018. GDPR applies to organizations, regardless of where their websites are located, and imposes obligations on these organizations when targeting individuals in the European Union or collecting data about them. The goal of GDPR is to ensure that companies are transparent about the personal data they handle and that the purpose of using this data is lawful.
GDPR has far-reaching implications for companies that process personal data. This regulation aims to make the handling of personal data more transparent and secure. Any organization that stores and processes employee and customer data faces new obligations. Personal data can only be collected for a predefined purpose, following the principle of “as little as possible, but as much as necessary.” The regulation applies not only to large companies and online shops but also to any business operating on the internet that stores and processes customer data. Companies must take increased measures to ensure data protection, including the clarity of privacy statements and consent texts. Companies are now obligated to document individual operations in directories to fulfill their accountability.
GDPR from the User's Perspective
For users, GDPR brings numerous advantages. They have more control over their data than ever before. Companies must disclose what happens with the data instead of hiding behind legal clauses. Users have the right to know which companies store their data and how it is used. In certain cases, users can exercise their right to deletion (Art. 17) and object to data processing. Additionally, consumers have the right to completeness or correction of their data (Art. 16).
Has the article about GDPR caught your interest?
- Digital opportunities & possibilities
- Discussion about pain points
- Get to know each other
We would be happy to exchange ideas in a free and non-binding call over a coffee’s length ☕.
Comparison between the New Swiss Data Protection Act (nDSG) and the General Data Protection Regulation (GDPR)
The new Swiss Data Protection Act (nDSG), which came into effect on September 1, 2023, has some crucial differences from the European General Data Protection Regulation (GDPR). Here are the key differences:
Sanctions
- nDSG: Private responsible parties can be fined up to CHF 250,000.
- GDPR: EU member state supervisory authorities can impose fines and sanctions on companies, with fines of up to 4% of a company’s global annual turnover or EUR 20 million for serious violations.
Appointment of a Data Protection Officer (DPO)
- nDSG: The appointment of a Data Protection Officer (DPO), called Data Protection Advisor (DPA) in Switzerland, is not mandatory but is explicitly recommended.
- GDPR: According to Art. 37 GDPR, the appointment of a DPO is mandatory under certain circumstances.
Reporting Data Breaches
- nDSG: Data breaches must be reported to the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible.
- GDPR: Data breaches must be reported to the relevant EU supervisory authority within 72 hours.
Data Exports
- nDSG: The permissibility of data exports is decided by the Federal Council, and EU standard contract clauses and binding corporate rules apply.
- GDPR: The European Commission decides on the permissibility of data exports, and EU standard contract clauses and binding corporate rules also apply.
Data Protection Impact Assessment
- nDSG: A data protection impact assessment (DPIA) must be conducted in case of a high risk to the personality or fundamental rights of the data subject. In case of persistent risk, the DPA can be consulted instead of the FDPIC.
- GDPR: In case of persistent risk, the supervisory authority must be consulted.
Profiling
- nDSG: The revised law regulates profiling, especially the automated processing of personal data for the assessment of personality traits. Consent is only required for high-risk profiling.
- GDPR: There is a general requirement for consent.
Sensitive Data
- nDSG: Since September 1, 2023, “particularly sensitive data” under the nDSG includes administrative or criminal prosecutions and sanctions, as well as social assistance measures. Thus, nDSG includes two more categories of sensitive data than GDPR.
- GDPR: Sensitive data, referred to as “special categories of personal data” in GDPR, includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, data concerning sexual life, or sexual orientation.
In summary, the new nDSG has largely harmonized with the European GDPR to ensure the competitiveness of Swiss companies. However, there are some differences that should be noted.