Customers are becoming increasingly sensitive about how their personal data is handled. This is why it is no longer just major global companies that need to think carefully about protecting personal data (and therefore also customer data), but also small and medium-sized companies in Switzerland too. But how do you protect customer data properly? We are going to show you how data protection is regulated by law in Switzerland today.
Lots of companies already use customer data to target their marketing. The benefit of doing this is that they are able to target customers who are genuinely interested in a product or service. As a result, customers receive fewer irrelevant offers. This makes protecting personal data properly all the more important.
Personal data is essentially any information that can be used to identify a person. This includes names, e-mail addresses, ID numbers, but also other data, such as IP addresses. Personal data also includes pseudo-anonymized or encrypted data that could be used to identify that person again. Customer data can be processed online or on social networks using cookies (data saved onto your computer by a website you visit) to show users information tailored specifically to them.
The use and processing of personal data is regulated by law in Switzerland. The Swiss Federal Constitution states that any natural person is entitled to their personal data being protected from misuse. To guarantee this protection, the Swiss government passed the The link will open in a new window Federal Act on Data Protection (FADP), which has been in force since 1 July 1993. According to the Federal Act on Data Protection, personal data must always be processed in good faith. This means that the person concerned must be aware of that processing. If the purpose for the processing changes, consent must be obtained from the person concerned. (e.g. by having them accept a privacy policy). The Federal Act on Data Protection is currently undergoing revision.
The right to information stipulates that data file owners are obliged to provide persons with information about their personal data and its usage at any time. This also applies when that person is a customer. The right to information also covers negative notification. The Ordinance to the The link will open in a new window Swiss Federal Act on Data Protection also regulates other aspects, for instance the fact that a company must provide information on all personal data as well as its usage and processing within 30 days.
The new The link will open in a new window EU General Data Protection Regulation (GDPR) has been in force since 25 May 2018. The area of validity for companies that are not operating in the EU is based, in part, on the legal principle of “lex loci solutionis”. This means a Swiss company is subject to the GDPR if it provides goods or services in the EU or wishes to monitor the behaviour of persons residing in the EU. As a result of the European directive, companies and organizations must inform users right from the outset about the purpose for which data is collected and possibly passed onto third parties. The users must give their express consent, and can withdraw it at any time. With the right to information, users may ask for a copy of the data collected about them at any time. The GDPR also regulates other rights such as the right to be forgotten, where users may request the deletion of personal data that has been published online without any legal basis.
Protecting customer data is a complex issue. Not only are customers attaching increasing importance to their sensitive data, but legislation is also changing drastically. This is why companies must be proactive about data protection. It might well be worthwhile paying the occasional visit to the The link will open in a new window SME portal of the Swiss government to keep yourself up to date so you don’t miss out on any important information on changes in the law. Small companies can also find useful information in the article “IT security and data protection: small companies should avoid these mistakes” that will help them avoid making mistakes when it comes to personal data.
