On 25 May 2018, the European Union replaced the previous Data Protection Directive by the new General Data Protection Regulation (GDPR), which, as a regulation (in contrast to the directive), not only harmonises the data protection laws of the EU Member States, but now unifies them. This means that the GDPR is directly applicable without transposition into national law (self-executing).
The Regulation has serious consequences for businesses. In addition to claims for damages by the parties concerned, infringements are liable to fines of up to 4 % of global (!) turnover (!) and wrongdoers, data protection officers and other decision-makers can be fined up to EUR 20 million. The official explanations (recitals) of the EU data protection regulation point out that the term «company» must be understood in the same way as the term in EU antitrust law. In EU antitrust law, the term «company» can effectively be understood as an entire group or holding company, even if only one subsidiary is actually responsible. This is the case when the parent company controls the subsidiary. In this case, the fines of up to 4 % would relate to the entire turnover of the group or holding!
Swiss companies are not immune to this. According to the so-called market place or impact principle, the regulation also applies to Swiss companies if their data processing serves to offer goods or services – whether free of charge or not – to natural persons in the EU. The Regulation also applies to Swiss companies if they or their representatives monitor natural persons in the EU.
Although the principles of data protection (legality, good faith, transparency, purpose limitation, minimisation of data, accuracy, memory limitation, integrity and confidentiality, accountability) remain the same, the Regulation represents a quantum leap in data protection. The Regulation will impose a considerable additional burden on businesses. Companies will have to create comprehensive new structures and processes to comply with the Regulation. The Regulation requires an extended documentation and evidence obligation, an analysis of data protection risks, a data protection impact assessment in case of expected high risks, comprehensive information obligations when collecting data, stricter deletion obligations and a right to be forgotten, substantial notification and notification obligations in case of data protection violations, stronger data protection through technology and presettings, a directory of processing activities, additional responsibility for data protection officers in companies, comprehensive rights of persons concerned, in particular the rights of access, rectification, deletion and, indeed, the right to be forgotten.
The EU data protection regulation not only adds extra work for businesses, but also makes it easier for them to do business in certain areas. For example, the data of legal persons are no longer subject to data protection (in the future also in Switzerland), which considerably relieves the B2B sector. However, data of legal persons are not «fair game» in the future, but are still protected by the general protection of personality and in particular the principles of fairtrade law (in Switzerland UWG). However, the question arises whether the EU data protection regulation applies to data of natural persons working for or in a company. There is no case law on this shortly after the Regulation was introduced. However, research shows that a majority of commentators believe that the EU data protection regulation applies to such data. As data of natural persons are likely to be involved in almost all cases, particularly in the context of communication with companies, the question arises as to how useful it is to distinguish between data of legal entities and data of natural persons. However, the question is unlikely to be of practical importance as sooner or later all companies will implement the EU data protection regulation.
Non-European companies that are active in the EU market, in particular those that collect data or observe market participants there, are advised to take a look at the new EU data protection basic regulation and to take appropriate precautions within the company. The arrival of data protection experts is likely to be unavoidable.
Concrete data protection measures
An important basis for this and for the fulfilment of the documentation obligations is the creation of a processing directory. The processing directory should contain the following information in particular:
- name and contact details of the data protection officer (company)
- purpose of the data processing
- categories of persons concerned
- categories of personal data processed
- categories of recipients of personal data
- information on data transfers abroad and their legal basis
- information as to when, or at least according to which criteria, personal data will be deleted
- general information on technical and organisational measures for data protection
The processing register may be kept on paper or in electronic form.
In any case, it is recommended that a data protection officer be appointed. This should ensure a continuous data protection audit, the taking of necessary measures and advice on data protection. The data protection officer may be external or internal to the company. The internal data protection officer has the advantage of being close to the company. To this end, it must be ensured by means of an agreement with the employer that the data protection officer is free and independent of the employer in the relevant activity and that the employer cannot exercise any corresponding repression. A corresponding description of the duties of the data protection officer must be drawn up. The data protection officer fulfils his or her obligations if he or she performs these tasks with due care. However, he or she is not the person responsible for data protection. This is the company or its organs themselves.
Irrespective of the data protection impact assessment provided for in the GDPR for high risks, a risk analysis of possible data protection violations should always be carried out and the necessary measures taken.
Existing agreements with third parties, in particular with contract processors (third parties who process data for the company) must be continuously checked for their compatibility with data protection regulations and adapted if necessary.
As people in general are the weakest link in data protection, it is elementary to regularly sensitise and train employees in data protection issues.
Under the GDPR, the rights of those affected have been strengthened. For example, they have a right to information, as well as a right to be forgotten or a right to deletion. To this end, it must be ensured that the system allows access to an overview of the relevant data.
The right to data portability is likely to be a challenge, especially for companies hosting personal data. This is because data subjects will now have the right to have their data stored in a format that allows transfer to other companies. In addition, persons concerned will be able to request direct transfers between these companies. This means that companies must ensure interoperability. An example is the case where an Apple customer wants to transfer his data from an iOS application (Apple) to an Android application (Google) because he switches from an iPhone to a smartphone with the Android operating system.
Finally, because it is visible from the outside, data protection communication is an essential element of concrete data protection measures. A data protection regulation can be drawn up for internal communication. Externally, communication takes place via a data protection policy (declaration).