Implementation of the GDPR: initial findings and penalties running to thousands of euros!

The EU’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. As we explained previously here, this Regulation may also apply to Swiss companies.

Businesses concerned, both European and Swiss, were required to take various measures by 25 May last. These included, for instance, appointing a data protection officer (DPO), adding a banner to company websites, reviewing confidentiality policies and general terms and conditions of use, creating a cookies page, adapting their contact forms, informing recipients of their newsletters, ensuring computer system security, training staff and adopting internal rules, analysing existing contracts, and adding supplementary clauses where necessary.

In the course of our work, we have found that a great many businesses had not yet put appropriate measures in place by 25 May 2018. Some have so far simply taken action that we would describe as “urgent”, i.e. inserting a banner, creating a cookies page and reviewing their confidentiality policies.

However, we should point out that merely adopting these “urgent” measures is not enough to comply with the GDPR. Hefty penalties may be imposed, even going as far as a definitive limitation on data processing and/or an administrative fine of up to EUR 20 million or 4% of annual worldwide sales (GDPR Art. 83).

That makes it imperative for companies concerned to continue the long-term task of assuring compliance if its activities fall within the scope of the GDPR.

The first penalties have in fact already been imposed. In France, the Restricted Committee of the CNIL (France’s national data-protection authority) recently imposed a penalty of EUR 75,000 on the Association pour le Développement des Foyers (ADEF – the French housing development association) because of a failure to protect the data of its website users. The Restricted Committee also imposed a penalty of EUR 250,000 on the OPTICAL CENTER company on the grounds of failure to fulfil its obligation to ensure the security of personal data. Modifying URL parameters in fact made it possible for hundreds of invoices to the company’s clients to be accessed; these invoices contained particulars such as surnames, first names, postal addresses, healthcare data (ophthalmological correction) and, in some cases, even the social-security numbers of those concerned.

In both cases, given the scale of the data involved and their highly personal and detailed nature, the Restricted Committee decided to make its ruling public. However, it is important to point out that, before making these rulings, the CNIL had alerted the relevant parties to the non-compliance of their systems and asked them – unsuccessfully – to put matters right.

WILHELM Avocats SA – 2.7.2018

Do you have questions about his topic?

Latest news from Wilhelm Gilliéron Avocats

activité accessoire et activité salariée en droit suisse
Labour law
Is it possible to have a secondary activity in parallel with your salaried activity and what do you have to keep in mind ?
Visuel LinkedIn
Company law
The transfer of capital contributions in a limited liability company and its particularities
Visuel LinkedIn
Labour law
Garden leave or no garden leave?

À propos de l’auteur

Avocat à Lausanne en droit suisse des affaires - Avocat Lausanne