The GDPR became effective on 25 May 2018. Are you compliant?

<h4>Introduction</h4><p>A majority of companies in Switzerland process a vast amount of personal data on a daily basis. Much of the data is confidential or even sensitive personal data. The GDPR aims to empower individuals with regard to controlling the use of their personal data and to harmonize the patchwork of national data legislation across the EU to lay the foundation for a single, thriving digital market.</p><p>A particular feature of the GDPR is its extraterritorial reach, which is stipulated in Art. 3 GDPR. Besides applying to companies established in the EU, the regulation also applies to companies not established in the EU to the extent that their goods or services target EU data subjects or in case of monitoring the behavior of EU citizens. It is important to understand that the GDPR focuses on all data subjects. Hence, not only might your customers be data subjects, but all natural persons whose personal data your organization processes are within the scope of the regulation, even employees.</p><p>The GDPR becomes effective on 25 May 2018. It gives the National EU authorities tasked with the protection of data and privacy and monitoring and enforcement of the data protection regulations ('DPA') the rights to impose administrative fines which can amount to a maximum of EUR 20 million or 4 percent of the global annual turnover of a company – whichever is higher.</p><h4>Determination of the applicability of the GDPR for Swiss companies</h4><h4>Applicability 1: offering of goods and services to EU data subjects</h4><p>The extraterritorial reach of the GDPR is stipulated in Art. 3 GDPR and in Recital 23 and 24. The definition of the term \"offering of goods and services\" is not exceptionally specific in relation to Article 3.</p><p>What does it mean for a company's website offering products or services to anyone? A further look at the clarifications of the GDPR in Recital 23 gives a better idea of how it is interpreted under the Regulation.</p><p>Recital 23: “(…) In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.”</p><p>Therefore, a website that is simply accessible by a global audience in itself would not indicate intention of “offering goods and services” to EU citizens, and, on its own, would not necessarily</p><p>subject a company to the GDPR. However, Recital 24 GDPR includes additional aspects for consideration.</p><p>Recital 24: “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”</p><p>According to the above text from the Recitals, companies may demonstrate intention of offering goods and services to EU citizens under the following circumstances:</p><p>* The company provides the option to change to the native language and/or currency of an EU Member State; and/or&nbsp;* The company has advertising on its homepage from customers or users (i.e. testimonials) that are based in the union.</p><p><br></p><p>Drawing from the main points in the Recitals of the GDPR, it should be noted that companies should further examine their obligations under the regulation when they:</p><p>* Include international telephone numbers on their website for contact purposes;&nbsp;* Use top level domains of an EU Member State (i.e. .de);&nbsp;* Provide options for EU language translation;&nbsp;* Provide options for EU currency conversion; and,&nbsp;* Advertise to attract EU users.</p><p><br></p><p>If your company meets at least one of the above criterion, it may be a good time to prompt a review and determine if you’re required to comply with GDPR’s requirements.</p><h4>Applicability 2: monitoring the behavior of EU citizens and their behavior that takes place within the union</h4><p>The regulation also uses the word “monitoring” in relation to companies’ processing activities. To gain better understanding, we can use guidance provided by the above Recital 24 of the regulation; specifically, “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”</p><p>The above excerpt appears to refer to online monitoring and could be associated with behavioral-based advertising that creates profiles based on the data subject’s actions. Monitoring in the GDPR framework is also referred to as “profiling,” and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, etc.</p><p>With the wide scope of profiling behavior, companies should evaluate their current online and offline operations to determine if they will be classified under the monitoring requirement.</p><p>Given the extensiveness that the GDPR captures, each company should carefully assess the GDPR’s applicability. If you are unsure if your company falls under the scope of Article 3 GDPR, you should seek expert advice.</p><h4>Impact of the GDPR</h4><p>If GDPR is applicable to your company, its implementation has farreaching effects on the whole data protection organization. Besides demonstrating that your company has full control over the personal data it processes in the course of its business, you will have to demonstrate that your company complies with the GDPR principles for data processing as well as with all other obligations required under the regulation.</p><p>In most companies, data is spread across different systems and kept in various storage places. To comply with the GDPR, the companies need to understand where and how the data is currently captured and saved. Business processes might need to be restructured for the future in order to have a more easily accessible, holistic view of the data.</p><p>The main implications of GDPR are the following:</p><table><tbody><tr><th><div>Information duties</div></th><th><div>Rights of data subjects</div></th><th><div>Data protection by design and default</div></th><th><div>Consent to data processing</div></th></tr><tr><td><div>Companies will have to inform data subjects proactively and in detail about how their personal data is processed (e.g. by a data privacy statement).</div></td><td><div>Customers will benefit from expanded rights, such as access to personal data, the right to object to processing, correction of inaccurate data, data portability and erasure of data.</div></td><td><div>The architecture of systems for data processing has to be done in a way that ensures the best possible data protection from outside threats.</div></td><td><div>Active consent is required (opt-in instead of opt-out). In addition, consent may be withdrawn at any time.</div></td></tr></tbody></table><table><tbody><tr><th><div>Documentation duties</div></th><th><div>Data protection impact assessment</div></th><th><div>Technical and organizational security measures</div></th><th><div>Data protection officer</div></th></tr><tr><td><div>Companies will have to document data processing comprehensively to show GDPR compliance.</div></td><td><div>An impact analysis will be necessary if certain categories of personal data (e.g., health, racial and ethnic origin, political opinion, etc.) are processed or the processing of personal data is used for profiling.</div></td><td><div>Companies have to apply measures to protect personal data (e.g., data protection procedure, including controls and use of encryption).</div></td><td><div>Some companies may have to designate a data protection officer, e.g., if they process special categories of personal data or systematically monitor people on a large scale</div></td></tr></tbody></table><table><tbody><tr><th><div>Notification requirements</div></th><th><div>Outsourcing</div></th><th><div>Representative in the EU</div></th><th><div>Governance</div></th></tr><tr><td class="se-table-selected-cell"><div>Companies have to notify the loss or unauthorized disclosure of data, within 72 hours if feasible.</div></td><td><div>New responsibilities and stricter requirements for service providers (e.g., IT outsourcing, accounting, marketing, HR, etc.)</div></td><td><div>Some companies not domiciled in the EU may have to designate a representative in the EU if they process personal data of or monitor EU residents.</div></td><td><div>Companies will have to document compliance with the GDPR. This will require them to seek and implement various IT and organizational solutions to create a performance control framework to ensure compliance.</div></td></tr></tbody></table><h4>Consequences of Non-Compliance with the GDPR</h4><p>Non-compliance with the GDPR entails high legal and financial risks. The GDPR provides DPAs with new rights to audit and to impose administrative fines, which can amount to a maximum of EUR 20 million or 4 percent of the global annual turnover of a company – whichever is higher. Besides facing substantial fines, depending on the gravity of a data protection breach it cannot be ruled out that EU market access for a company concerned outside the EU may be temporarily restricted as a result of measures taken by national DPAs.</p><p>Given the far-reaching implications of the GDPR, each company should carefully assess GDPR’s applicability. If you are unsure if your company falls into scope of Article 3 GDPR, you should seek Expert advice.</p><h4>Content</h4><ul><li><a>Introduction</a></li><li><a>Determination of the applicability of the GDPR for Swiss companies</a></li><li><a>Applicability 1: offering of goods and services to EU data subjects</a></li><li><a>Applicability 2: monitoring the behavior of EU citizens and their behavior takes place within the union</a></li><li><a>Impact of the GDPR</a></li><li><a>Consequences of Non-Compliance with the GDPR</a></li><li><a>Content</a></li></ul>