GDPR Data protection and Swiss wine companies
On May 25th 2018, the General Data Protection Regulation (GDPR) will become fully effective. This regulation was introduced on May 24, 2016. It applies to the collection and use of personal data, in particular for promotional and commercial purposes. There is therefore no grace period, since a two-year period had already been granted to allow companies to comply.
This regulation is not only intra-European, it affects all companies outside Europe (including Switzerland) who process data with or in relation to Europe. Failure to comply with this regulation may result in fines up to 4% of the turnover and up to a maximum of 20 million Euros. That later point will surely attract attention.
Is Switzerland concerned by the GDPR?
On September 15, 2017 the Swiss Federal Council has announced its intention to evolve the Swiss LPD (Data Protection Act) towards the new European regulation. The project is expected to be completed by 2019 according to experts.
This decision of the FC is logical, first of all this regulation is a real step forward for the protection of personal data, especially vis-à-vis companies (including the GAFAs - Google, Apple, Facebook, Amazon) operating in Europe and Switzerland.
Businesses (especially tourism) that operate many transactions with the rest of the world and Europe in particular must already comply with the new European regulation. It would be absurd not to put everyone in Switzerland on the same page and surely the companies themselves will appreciate not having to operate with double standards. Because beyond the law, the case is also technical.
How is the world of Swiss Wines affected by GDPR?
Small producers with their hundreds of customers might be tempted to ignore it, but they should remember that the law is the same for everyone. If we want to regulate the activities of major groups and better protect the consumers we all are, we must create a legal framework that applies to all.
In the immediate future the world of Swiss wine is less impacted than the world of tourism, which must constantly fish a significant portion of its customers abroad and in Europe in particular.
One could argue that for companies working in Switzerland and whose commercial activities are limited to Switzerland there would be no need to evolve but this attitude will not find favor with consumers who do not appreciate the vagueness of our current practices .
In addition, by being proactive and thoughtful, the European data protection best practices can be implemented and will enhance consumer confidence in online trading and soliciting. So why deprive ourselves?
What are the important points of GDPR?
Most of the following information was taken from the Wikipedia pages related to the GDPR, corroborated by various articles and white papers.
The RGPD offers a harmonized legal framework
There will be one set of data protection rules directly applicable in all EU Member States (and eventually Switzerland), thus mitigating the current fragmentation of national data protection laws.
An extraterritorial application
The regulation will apply to companies established outside the European Union that process data on the activities of EU organizations.
Non-European companies will also be subject to the Regulation if they target EU residents through profiling or offer goods and services to European residents.
The consent of consumers must be "explicit" and "positive"
Citizens need to be informed about how their data will be used, and businesses and organizations that collect data need to give citizens more control over their private data.
Author's note: In all respects this is probably the most important element and can easily be implemented thoughtfully in small businesses when acquiring data.
The right to erasure (light version of the right to be forgotten)
Everyone has the right to obtain from the data managers the erasure, as soon as possible, of his or hers personal data and the data manager has the obligation to delete such personal data as soon as possible. .
The right to transfer personal data
Everyone has the right to obtain personal data from a data manager in a structured, commonly used and machine readable format and anyone has the right to transfer this data to another data manager.
Everyone has the right to not be the subject of automated decisions based exclusively on data processing, including profiling. In particular decisions which produces legal effects that may affect a person.
"Data protection by design" and "security by default"
The European regulation defines the principle of "data protection by design" (Privacy by design) which requires organisations to consider the requirements for personal data protection starting with the design of products, services and systems operating personal data.
In addition, the regulation defines the new rule of "security by default" which requires any organisation to have a secure information system.
Author's note: this is undoubtedly the technical aspect that has the greatest impact on current working methods. It is necessary to think upfront of how to acquire and use the data in order to facilitate the task and later be compliant.
Notifications in case of data leak
Companies and organisations will be required to notify the national protection authority as soon as possible in the event of serious data breaches so that users can take appropriate measures (Article 33 of the new RGPD).
The appointment of a data protection officer
This appointment is mandatory in certain cases. For small businesses it will be the person legally responsible of the company.
Having presented the general principles, we will discuss in a future article the practical aspects of this new regulation when acquiring and using your customers' data.
About the author
Jean-Francois Genoud is an economist with a passion for technology and wine. He has been the consultant in charge of Swiss Wine's official digital world. After a career at Logitech and across the world, he trained as a sommelier in order to merge his two passions into his professional activities.