GDPR: here the latest news for Swiss and EU companies
Due to the importance of personal data, it’s headhunting companies primary interest being compliant with GDPR new law to protect candidates’ personal information.
The European Regulation on data protection n. 2016/679 (GDPR) intends to strengthen and standardize the protection of personal data for European citizens by implementing a series of measures to promote transparency in the management of personal data and to ensure greater control over European citizens on their use. The GDPR will come into effect on May 25th 2018 and will be directly applicable to all actors active on the European Union territories (EU), all companies offering goods or services to people in the EU (for example through own e-commerce site or other online sales platforms) or to companies that analyze the behavior of these people. The scope of this regulation is broad and apply also to the non-European companies the data process (Article 3), including Swiss companies. The GDPR should not be considered lightly: in case of violation, sanctions can be imposed and can go up to 20 million euro or 4% of the total annual turnover.
More rights for citizens
Thanks to the new regulation, today European citizens have more rights: first, they must be informed in a precise, transparent, complete and simple way on the treatment of their data, especially in the case of information for minors (Articles 11-14). Furthermore, they have the right to obtain confirmation that personal data concerning them are being processed and to have data access as well as any additional information (right of access, Article 15). They also can request corrections or completion data (article 16) and their cancellation („right to be forgotten“, art.17). In certain cases, they can obtain a limitation on the processing of their personal data (Article 18): they can be stored but can no longer be used for further operations. Furthermore, any rectification, deletion or limitation of data processing must be notified to whoever is using them (Article 19). The interested parties have the right to receive their personal data in a structured format, commonly used and readable by automatic devices and to transmit this data to other operators (right to data portability, Article 20). At any time, they can oppose the processing of data concerning them, also for direct marketing purposes (Article 21) and have the right not to be subjected to automated decision-making (Article 22), including profiling. Finally, they have the right to be informed in case of violation of their personal data (Article 34).
Companies‘ proactive role
Companies that work with European citizens‘ data, are owners or managers of the processing of such data. Having to obtain express consent to the collection and data processing (Articles 6-8) and considering the increased transparency and information obligations mentioned above, they now also have a more proactive role and more strict obligations. These are aimed not only at formal compliance with the rules, but also at the adoption of technical and organizational measures that ensure data protection (including pseudonymisation and minimization) from the moment of design (privacy by design, article 25) and the use of the only personal data necessary for each specific treatment purpose (privacy by default, article 25).
With some exceptions (companies with fewer than 250 employees, but only if they do not carry out treatments that may present a risk to the data subjects), companies must also keep a record of processing operations (the contents of which are listed in Article 30). The technical and organizational measures to protect data must be adequate (Article 32) and aimed at ensuring that any security gaps are discovered immediately and that, in the event of a breach, they are notified within 72 hours to the competent control authorities (in Switzerland: the Federal Data Protection and Information Commissioner) directly concerned (data breach, articles 33-34). Where data processing is more likely to be exposed to risk, companies must first carry out a risk assessment (impact assessment on data protection, Article 35). In the case of regular, systematic and large-scale monitoring or in the case of large-scale processing of sensitive data (Articles 37-39), companies are obliged to have a data protection officer (DPO or even Data Protection Officer, DPO), choosing whether to train staff internally or contact external agencies. Holders or processors who are not established in the EU but are still subject to the GDPR must appoint a representative in the EU (Article 27). The non-appointment of this representative entails an amend of up to 10 million euros (Article 27 and Article 83 paragraph 4).
How does Switzerland fits with GDPR?
The Swiss Confederation is also moving along with the new European GDPR regulation. The revision of the Federal Data Protection Act (LPD) is currently under way to make it compatible with EU law. However, the Commission of political institutions of the National Council wants the review to take place in stages. The necessary adaptations to European law must first be carried out and, subsequently, a complete revision of the data protection law will take place. For the Swiss market it will therefore be necessary to wait for the outcome of the political process, which will still take a long time.