GDPR: Everything about the EU General Data Protection Regulation

It also affects our online activities in Switzerland: the European General Data Protection Regulation (GDPR). In force since May 25, 2018, it has caused perplexed faces here and there. We have therefore compiled the most important information for you about data processing on your website and the most frequently used website tools. A small guide to action - so that you are also on the safe side.

Note: The following overview does not claim to be exhaustive. It primarily serves as a guide to action and points out selected, important points with regard to the GDPR.

The most important facts in brief

Basically, the effects of the GDPR on Switzerland can be summarized as follows: As soon as data of persons in the EU is collected and processed on a website, the GDPR must be observed and its requirements complied with. As soon as you commission a website, you are fully responsible for the personal data processed via your website.

Who is responsible for the data collected?

If you yourself determine how and for what purpose personal data is collected and processed via your website, you are responsible for this data. You must ensure that the data is collected, processed, stored and used lawfully. The data subjects must be informed of their rights and know how, for what purpose and for how long the data is stored. You must also obtain explicit consent from all data subjects for the collection, processing and storage of data. This responsibility also applies if you commission someone to manage your website. As the client of a web mandate, you must ensure that the processor fulfills its contractual obligations and processes all data securely and lawfully.

6 areas and tools: What to do.

1. Google Analytics
   As soon as Google Analytics is used on your website, you instruct Google to process personal data for you. To ensure that this use complies with data protection regulations, it is recommended that you conclude a data processing agreement with Google before using these tools. You can also do this electronically via the Google Analytics account. Furthermore, the users of your website should be informed that you use Google Analytics. There also needs to be an opt-out option (a deactivation function) that allows users to stop their data being recorded by Google Analytics. In addition, the IP address must be shortened (anonymization function).
2. Google Ads and Google Search Console
   When using these tools, no personal data is processed by your company, which is why there is no need for action under the GDPR.
3. Facebook Pixel
   Facebook acts as a processor for your company. Therefore, the same points must be observed as when using Google Analytics. Again, a contract for data processing by Facebook is required. Facebook does not currently appear to offer the option of using Facebook Pixel without transferring personal data to Facebook. However, it does offer technical tools to prevent the transmission of personal data via Facebook Pixel as long as the user of your website has not consented to the data processing. It can be assumed that the use of Facebook Pixel currently requires the prior consent of website users as well as data protection-compliant information.
4. Website plugins
   With website plugins, it makes sense to check in advance whether they collect and store personal data. If this is the case, there needs to be a legal basis for this data processing. This can take the form of consent. In addition, the user of your website must be informed how and for what purpose their data is stored and for how long.
5. Mailchimp (newsletter tool)
   Mailchimp also acts as a processor for your company. This means that you as a user are also jointly responsible for the lawful processing of the data. It is also advisable to use a double opt-in registration with express consent to be added to the distribution list. When you are added to a newsletter distribution list, an additional confirmation email is sent to activate the entry. It is also advisable to check the previous settings of your newsletter tool carefully. The privacy policy must state which data is processed and for what purpose. When a new user registers, Mailchimp saves the date and time of registration as well as the email and IP address. This must also be indicated. In addition, you must integrate an unsubscribe option in the form of a link in the newsletter every time you send an email.
6. Legal notice and privacy policy
   It is also important to check the legal notice and privacy policy on your website. We can provide you with recommendations or adapt the legal notice and privacy policy to the best of our knowledge. However, as very specific legal requirements may apply here, a final check must be carried out by you and/or your lawyer.

We are happy to take care of specific measures on your behalf with regard to the GDPR. These include

• Data processing agreement with Google Analytics
• Anonymize Google Analytics IP
• Check plugins
• Mailchimp order processing contract
• Integrate Mailchimp double opt-in registration
• Customize Imprint/Data protection declaration