What is the General Data Protection Regulation?
The General Data Protection Regulation (EU) 2016/679, abbreviated as GDPR, came into force on May 25th, 2016 and applies since May 25th, 2018 after a transition period of two years. The GDPR has standardized and tightened data protection law in the European Union (EU). It also applies to many companies and organizations in Switzerland and other countries outside the EU, especially if they offer goods or services to EU citizens.
What happens if you do not comply with the GDPR?
Those who violate the new EU data protection law can be fined up to 20 million euros or up to 4 percent of global turnover. These are the maximum penalties, especially with regard to large tech companies such as Google or Facebook.
Apart from any possible punishment, the costs incurred by proceedings due to an alleged violation of the GDPR can already be painful.
Data protection violations are also frequently the subject of warnings from other companies, consumer protection associations or affected individuals themselves. This can not only result in considerable costs, but also severely restrict a company’s ability to act.
Why does the new EU data protection law also apply to many companies in Switzerland?
With the GDPR, the EU introduces the market place principle in data protection law:
The GDPR applies to the processing of personal data of all people located in the EU. The GDPR also applies when such data is processed in Switzerland and in other countries outside the EU – in so-called third countries.
Under which conditions does the market location principle apply to companies in Switzerland?
Companies in Switzerland that offer their services to persons in the EU must comply with the GDPR. This also explicitly affects free offers such as e-books and newsletters for persons in the EU.
In addition, the GDPR applies to companies in Switzerland that monitor the behavior of individuals in the EU, for example by analyzing visitors’ activities in an app or on a website (profiling and tracking).
Are there exceptions?
Swiss companies that must comply with the GDPR do not exceptionally need a data protection representative in the EU under the following three conditions:
- The data processing is only occasional, and
- no extensive processing of particularly sensitive data occurs, and
- the data processing is not likely to result in a risk to the rights and freedoms of individuals, taking into account the nature, circumstances, scope and purposes of the processing.
The exception only applies if all three conditions are fulfilled. We do not advise to rely on this exemption.
Who monitors the compliance with the GDPR?
Within a company, the company’s data protection officer is responsible for monitoring compliance with data protection regulations pursuant to Art. 39 (1) lit. b GDPR.
In addition, companies are monitored by the responsible supervisory authority pursuant to Section 40 FDPA. In Germany, these are the data protection supervisory authorities of the federal states, such as the Bavarian State Office for Data Protection Supervision.
What does data protection actually mean?
Section 1 (1) FDPA states: “The purpose of this law is to protect individuals from having their personal rights impaired by the handling of their personal data.” Data protection law therefore does not protect data as such, but rather the personality of each individual from being impaired by the collection, processing and use of personal data.
For many, simple websites, a standard template such as you can find on the Internet should suffice. For anything beyond this, an individually formulated declaration is required, which can be compiled by a specialized lawyer after detailed consultation. Special aspects arise in particular when using social media plugins, analysis tools or other applications that collect and use data.
From the perspective of competition law, the consequences of a missing or incorrect privacy statement are controversial. According to some decisions, for example those of the higher regional court of Karlsruhe and the higher regional court of Hamburg, the obligation of the operator of a website to inform users about the collection and use of personal data constitutes a market conduct rule. Consequently, warnings can be issued under competition law if data protection declarations are missing.
The use of tracking services such as Google Analytics or other third-party tools such as web fonts without compliance with the legal requirements, in particular without effective consent using a so-called cookie consent tool, is currently the subject of more frequent warnings. Unlawful data transfers to service providers in the USA are also recently a hot topic.
What is an European Representative and what are the requirements?
A data protection representative in the EU is a legal or individual person established in an EU Member State. The establishment must be in one of the EU Member States where the data subjects are located within the EU. The appointment or nomination must be in writing.
How do I choose the best European Representative?
In any case, it is recommended to select an European Representative who has an in-depth understanding of the legal, organizational and technical aspects of data protection in order to be able to respond to inquiries from the supervisory authorities in a qualified manner.
What are the tasks of the European Representative in the EU?
The EU Data Protection Representative is the point of contact for supervisory authorities and data subjects for all inquiries related to ensure the compliance with the GDPR.
Who can use the data protection representative offer?
Our offer is aimed to legal entities and individuals located outside the EU who process data of individuals located in Germany and in other states of the EU. In particular, companies in Switzerland, the UK, the USA, etc. Many of these companies and organizations, but also individual self-employed persons and entrepreneurs, require a data protection representative in the EU in accordance with Art. 27 GDPR.
What does FX Data?
FX Data is a data protection company focusing on all services related to the implementation of data protection for companies. We advise small and medium-sized companies, train employees and provide the external data protection officer as well as the EU data protection representative.
FX DATA’s consulting services are characterized by a high level of understanding of the specific technical and economic requirements. In-depth technical knowledge is combined with fully-fledged legal knowledge.
FX DATA is specialized in dealing with any questions and requirements that arise and may arise in connection with data protection and data security. Through years of assisting online stores and other clients in the B2C sector, FX DATA has profound experience in dealing with consumers and their concerns.