What is General data protection regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law implemented by the European Union (EU) to safeguard the privacy and personal data of individuals. It establishes strict guidelines for how businesses collect, process, store, and transfer personal data of EU citizens, with the aim of enhancing data privacy and giving individuals more control over their personal information. Though the GDPR is an EU regulation, it applies to businesses worldwide that handle the personal data of EU residents, including companies based in Switzerland.
Key Features of the GDPR
- Data Subject Rights: The GDPR gives individuals (data subjects) a range of rights regarding their personal data. These rights include the right to access, rectify, erase, restrict processing, and object to processing. Additionally, individuals have the right to data portability, allowing them to transfer their data to another service provider.
- Consent and Transparency: Companies must obtain clear and explicit consent from individuals before processing their personal data. This consent must be informed, specific, and freely given. Organizations are also required to be transparent about how they collect, use, and store personal data by providing clear privacy notices.
- Data Protection by Design and by Default: The GDPR mandates that data protection should be integrated into business processes and systems from the outset. Organizations must ensure that only the necessary data is collected and processed, and that it is securely stored and used throughout its lifecycle.
- Breach Notification: In the event of a data breach, businesses must notify both the relevant supervisory authority and affected individuals within 72 hours if the breach is likely to result in high risks to their rights and freedoms.
- Accountability and Penalties: The GDPR places accountability on organizations to demonstrate compliance with its provisions. Businesses must keep detailed records of their data processing activities. Non-compliance with the GDPR can result in significant penalties, including fines of up to 4% of annual global turnover or €20 million, whichever is higher.
GDPR and Switzerland
While Switzerland is not an EU member state, the country has aligned its data protection laws with the GDPR to ensure seamless data transfer between Switzerland and the EU. Swiss businesses that process the personal data of EU citizens are subject to the GDPR’s provisions, and they must take appropriate measures to ensure compliance. Switzerland has also enacted the Federal Act on Data Protection (FADP), which harmonizes with the GDPR but includes certain distinctions specific to Swiss law.
Swiss companies must appoint data protection officers (DPOs) where required, conduct regular risk assessments, and ensure that their data processing practices meet the GDPR’s high standards of transparency, security, and accountability. The Swiss Federal Data Protection and Information Commissioner (FDPIC) monitors compliance with data protection regulations in Switzerland and cooperates with EU authorities to enforce GDPR standards.
The GDPR is a cornerstone of data protection in the modern digital age, empowering individuals with greater control over their personal information and setting a global benchmark for privacy standards.