About GDPR & nFADP

Since May 25th, 2018, and after lots of issues related to mass data-mining by big companies without their consent, a new regulation called General Data Protection Regulation (RGPD). It was agreed and approved in 2016 and has been applied since 2018 European Commission.

If you are an entity that processes data of a personal nature, you are probably affected too. Due to this, you have obligations with which you must comply. The same applies to companies which, in view of its situation, has distinct obligations as a Sub-Contractor with EU countries.

Any website that uses web-tracking, cookies, online forms, analytical tools (internal or external) to  to follow the activities of its visitors or to observe their browsing behaviour can draw conclusions about the interests, preferences or habits of Internet users. The RGPD will no doubt be applicable.

Personal data is information about a natural person, identified directly or indirectly. It can be a name, a photograph, an IP address, a phone number, a computer connection identifier, a postal address, a fingerprint, a voice recording, a social security number, an e-mail and even a Google Captcha.

As of September 1, 2023, Switzerland will enter a new era when it comes to the management of users’ and customers’ personal information. The nLPD is a revision of the Federal Data Protection Act (DPA), a New Federal Act on Data Protection (nFADP). In essence, it stipulates a major legislative change that will impact citizens, residents, and all federal businesses alike.

The nLPD aims, in short, to ensure adequate protection of personal and sensitive data, adapting to the technological and social evolutions that characterise the current context. The new law aims to solidify the compatibility of Swiss law with European law, in particular with the European Data Protection Regulation (GDPR or RGPD): this aspect, in essence, will help preserve the free movement of data with the European Union and ensure the competitiveness of Swiss companies.

What changes, in a nutshell

The nLPD introduces several key changes. First, the fact that only data of physical persons will be protected, excluding data of legal persons. Genetic and biometric data, for example, will now be included in the definition and thus in the category of “sensitive data.” In addition, the law introduces the principles of “Privacy by Design” and “Privacy by Default,” ensuring that data protection and respect for user privacy are built into the structure of products or services that produce the collection and storage of personal data, such as of a website. This, in theory, will also ensure a high level of security triggered in an automated manner, thus without the need for user intervention.

The new law, as mentioned, provides for more strict standards in terms of privacy, accessibility and transparency, so you will have to face the need (and responsibility) to make sure that the platforms you use (website, promotional emails, social channels, etc.) comply with the new parameters.

Differences with the EU

Companies that have already complied with the EU General Data Protection Regulation (GDPR) will have minimal changes to make. The association SwissPrivacy.Law has published a comparison table between the nFADP and the EU Regulation which can be consulted by visiting this link (in French):

The recognition of a right to be forgotten

The GDPR also includes recognition of a right to be forgotten, to obtain the withdrawal or deletion of personal data in the event of a breach of privacy, the right to data portability, to be able to move from one social network to another.

Companies must also inform users quickly in the event of internal or external data leakage (hacking or due to a server-side or application vulnerability).

DIGITALABS - ICT & Web Technologies: EU General Data Protection Regulations (GDPR)

Who has distinct obligations to inform ?

  • Processing of personal data by a Swiss company as a subcontractor on behalf of a European company.
  • Processing of Union residents’ personal data by a Swiss-based company to the extent that it processes such data for its offers of goods and services in the Union, regardless of whether payment is required or not.
  • Customer profiling in the EU (particularly collected data to do business and sell to third parties).

Principles keys on data protection

  1. Consent or Acceptance Policy (Especially for e-commerce)
  2. Who is processing the data
  3. What legal basis allows you to collect user data
  4. What are the purposes of collecting personal data
  5. What types of personal data you collect
  6. How long you’re going to store the data
  7. Whether you transfer the data internationally
  8. Whether you use the data in automated decision-making
  9. What third parties you share the data with
  10. What are the data subjects’ rights
  11. How you’ll inform users that your policy has changed

6 key principles on data protection

Respect the rights of people

What data it is used and obtain users consent

Limit data retention

No need to keep them and should to be removed

Outsourced data

Same rules for subcontractor

Check the relevance of the data.

Strictly necessary data can be collected

Secure the data

Ensure data security and confidentiality

Process data outside the EU

Even if not physically present in the EU

Purposes on data protection

  1. Define the purpose and respect the rights of people.
    Before collecting and using personal data, it is compulsory to announce to the users data it is used in order to obtain their consent. These people have the right to access, correct, oppose or delete their data.
  2. Check the relevance of the data.
    Only the strictly necessary data for achieving the objective can be collected. You should not collect more data than you really need. He must also pay attention to the sensitive nature of certain data, to make sure that they are accurate and current.
  3. Limit data retention.
    Once the goal of data collection is achieved, there is no longer a need to keep them and they need to be removed.
  4. Secure the data.
    The data regulator must take all necessary measures to ensure the security of the data he has collected but also their confidentiality, ie to ensure that only authorised persons access it.
  5. Outsourced data.
    In case of subcontracting, the organization remains responsible for the data transmitted. It must ensure that the subcontractor complies with the same rules on data protection.
  6. Process data outside the EU.
    When a company is not physically present in the EU but collects personal data relating to EU nationals – for example through a website – the same rules on data protection are applicable.

In practice, how to do it?

  • Online communication (www);
  • Raise awareness, inform and train;
  • Do not store or transfer personal data that is freely accessible on the Internet;
  • Be vigilant about databases for marketing purposes.

If you do not have a DPO (Data Protection Officer) in your company, DIGITALABS helps you to implement your GDPR according to the types of data you collect for your activity.

A “Privacy Policy” clause and a “Data Protection Statement” on the processing of personal data through files, cookies, analysis tools, contact forms, statistical tools and eventual publications on social networks, is required.

Useful External Sources

DIGITALABS : Infomaniak Network SA Official Partner
DIGITALABS ICT Services & Web Technologies - Web Development - Hosting Solutions - Web Design - SEO Digital Marketing