GDPR consulting in Ticino, Switzerland

The acronym stands for General Data Protection Regulation (GDPR) and is the new European Data Protection Regulation in effect since May 25, 2018.

Regulates the processing of personal data by private companies, public administrations and other organizations. (“Processing” means any activity related to the collection, aggregation, extraction, analysis, storage, and sharing of data.) The GDPR requires that personal data be stored and processed securely.

The GDPR is designed to protect the personal data of anyone living in the European Union.

The European Union and its member states are responsible for enforcing the GDPR. Each country is required to establish a public and independent Data Protection Authority (DPA) to enforce the GDPR, handle complaints filed by individuals, impose sanctions when necessary, approve codes of conduct, and raise awareness among its citizens. Individuals’ complaints against companies will be answered in the DPAs and national courts, jointly with the Court of Justice of the European Union when necessary.

1: Grants individuals some new rights (e.g., the right to move their data between different companies and services, and the right to request a copy of their data held by companies) and requires companies/organizations to be more transparent (e.g., they must inform you about where the data they are processing is coming from and for what purposes it is being processed, and they must inform you if they are profiling you).
2: Makes it easier and more effective to comply with the law (e.g., by sanctioning companies or allowing people to go directly to a court in case of violation).
3: Simplifies the rules by applying the exact same law in all EU member states and gives companies more flexibility on how to ensure compliance.

Personal data play a central role in the GDPR; in fact, the regulation does not apply indiscriminately to all data held by companies. In practice, personal data refers to any information that can enable the identification of an individual. Since it can often also be achieved by bringing together several pieces of information, the definition of personal data is consequently quite broad. A shoe size, a hobby, or a picture, for example, could be classified as personal data in case it is possible to trace which person these pieces of information belong to. It should be kept in mind that it is not necessarily the data controller itself that is enabled to perform the identification.

The regulation is applied directly and indiscriminately in all 28 countries of the European Union and affects all private companies, public institutions and organizations that hold and process personal data. These entities have had more than two years, since April 27, 2016, to comply with the new regulation. But it also applies to companies and organizations operating outside the EU: if a company or organization processes the personal data of individuals living in the EU, it must comply with the GDPR, regardless of where it is based.

Yes. As soon as a company monitors or tracks the behavior of a user on the territory of the European Union, the regulation will be activated regardless of the location of the company.

1: Some state bodies, including national security services, law enforcement agencies and the judiciary, will be governed by separate national regulations.

2: Individuals are exempt if they collect data for “personal or household use,” such as if they store personal contacts in their phone.

3: Churches and religious associations may maintain their own bodies of data protection regulations and related independent supervisory authorities, provided that these regulations are in line with the GDPR.

If you do not comply with the GDPR, the Data Protection Authority may sanction you. This could be as a result of a complaint filed by an individual or an inspection decided by the Authority itself. The DPA must ensure that the sanction in each individual case is effective, proportionate, and dissuasive. The DPA will take into consideration, among other things, the nature and severity of the violation, the level of negligence associated with it, whether actions have been taken to mitigate the harm, and the company’s/organization’s budget. Penalties can be as high as 4 percent of the company’s annual turnover, going up to 20 million euros, whichever is higher.

Our consultants, in order to be able to assist you in the best possible way, have carried out hundreds of hours of training courses and have successfully passed dozens of specific exams. We are available to provide you with clarification on the GDPR regulation or to support you on the path to certification.