Data protection requirements

In this article

When does the GDPR apply?

The EU General Data Protection Regulation (GDPR) applies to all businesses that process personal or personal-related data of individuals residing in the EU. The place of market principle applies, i.e. regardless of where the company is located, the requirements of the GDPR must be met if goods or services are offered/sold into the EU.

If, for example, a Swiss company enters into a legal transaction with persons located in the EU via the voucher and/or ticket shop (sale of vouchers/tickets/etc.), then the GDPR applies.

When does the Swiss FADP apply?

The FADP applies to matters that have an impact in Switzerland, even if they are initiated abroad.

The FADP therefore applies to natural persons (formerly legal persons) and to commercial and non-commercial organisations that process the personal data of Swiss citizens. The territorial scope of the FADP is similar to that of the GDPR.

This article refers to the new Swiss Federal Act on Data Protection (Data Protection Act, FADP) which entered into force on 01.09.2023.

What is personal data? 

Personal data or data that relates to a person includes, for example: names, email addresses, bank data/credit card data and IP addresses.

Legal requirements

When using an online shop, the following legal requirements must be taken into account or implemented in particular:

Data protection

Data protection requirements arise mainly due to the EU General Data Protection Regulation (GDPR), the Swiss Data Protection Act (FADP) and other country-specific laws such as the German Federal Data Protection Act (BDSG).

These laws contain, for example, requirements for "the data subject's information" (e.g. a website's privacy policy) and for "the data subject's consent" (e.g. email newsletter).

ePrivacy

The ePrivacy Directive (Directive 2002/58/EC or Data Protection Directive for Electronic Communications) and various country-specific laws such as the German TTDSG (Telecommunications Telemedia Data Protection Act) define the rules for setting "cookies" and for protecting website visitors' devices.

Competition law

Some countries such as Switzerland, Austria and Germany have a UCA (Unfair Competition Act). For example, the requirement to implement the double opt-in procedure (DOI) is derived from the German UCA - in conjunction with the GDPR.

More:

  • Telemedia Act (TMG/Germany)
  • E-Commerce Act (ECG/Austria)

Technical requirements

Technical and organisational measures (TOM)

Companies must take appropriate technical and organisational measures (TOMs) to ensure the protection of personal data. The TOMs must be documented for the purpose of fulfilling the legal obligations to provide evidence. This requirement is based on, for example, Art. 8 FADP and Art. 32 of the GDPR.

With regard to our service, we have implemented the following TOMs, for example:

  • Appointment of a data protection officer
  • Signing of data protection agreements with our service providers
  • Review of our service providers with regard to the processing of personal data
  • Training and awareness-raising of our employees
  • Procedures for regularly reviewing our TOMs
  • Implementation of restrictive rights and role concepts
  • Use of encryption technologies
  • Implementation of penetration tests

Further information and details can be found in our data protection agreement.

Data protection through technology and data protection-friendly default settings

Privacy by design: businesses must implement appropriate technical and organisational measures, factoring in good business practices, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons represented by the processing, both at the time of determining the means for the processing and at the time of the actual processing.

Privacy by default: Companies must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

These requirements are based on, for example, Art. 7 of the FDAP and Art. 25 of the GDPR.

In our voucher/ticket system, the requirements "Privacy by Design" and "Privacy by Defaults" are implemented by default; examples:

  • We only collect the data in the online shop that is necessary for executing the service, thus we implement the data protection principles of "data economy" and "data avoidance".
  • The online shop is designed in such a way that cookies are only used if explicit consent has actually been given by the user.

For more information on the basic settings of the shop, see here.

Newsletter consent with the double opt-in procedure

Companies must be able to prove that consent has actually been given by the data subject. Best practice in terms of consent to an email newsletter means the implementation of the double opt-in (DOI) procedure.

Immediately after registration to an email newsletter, the subscriber receives an advertising-free confirmation email (DOI email). The subscriber must validate the consent option contained in it to receive an email newsletter.

The DOI procedure is implemented in our online shop.

You can find out how to use the option for subscribing to your newsletter here

Organisational requirements

Data protection agreement

We are – with regard to the voucher/ticket system – acting as a processor in the sense of Art. 5 (k) of the FADP or Art. 4 No. 8 of the GDPR – for our customers. For legally compliant use of the voucher/ticket system, it is necessary to conclude a data protection agreement with us. This requirement is based on, for example, Art. 9 of the FADP and Art. 28 of the GDPR.

You can find our template for a data protection agreement here: Open contract. You can fill out and download this commissioned processing agreement directly on your computer.

Our data protection agreement is based on the EU Standard Contractual Clauses (SCC). The Swiss data protection authority (FDPIC) has recognised the standard contractual clauses (SCC) published by the EU Commission in accordance with Art. 16 para. 2 lit. d of the FADP. We have met the requirements of the Swiss data protection authority (FDPIC) through additional regulations. In this respect, our data protection agreement can also be used directly with Swiss companies.

We have concluded data protection agreements - e.g. in accordance with Art. 28 of the GDPR, Art. 26 of the GDPR and Art. 9 Para. 1 of the FADP with all relevant service providers.

Data protection advisor/data protection officer

Under certain conditions, companies can or must appoint a data protection officer (DPO). This requirement is based on, for example, Art. 10 of the FADP, Art. 37 to 39 of the GDPR and Art. 28 of the BDSG.

Regardless of whether there is a legal obligation to appoint a DPO, companies can appoint a DPO on a voluntary basis to minimise data protection risks.

For more information on the necessity of a DPO and their tasks as well as the obligation to report to the data protection authorities, see here.

We have appointed an external data protection officer.

Please note that you must publish the contact details of the data protection officer (e.g. pursuant to Art. 37 (7) of the GDPR). You can do this, for example, via your privacy policy.

You can find instructions on how to do this in the voucher/ticket shop here.

EU - Representative

As a rule, controllers and processors not established in the EU must appoint an EU representative in writing in accordance with Art. 27 of the GDPR. The EU representative must be established in the EU. The tasks of the EU representative must be agreed in a contract between the controller and the EU representative.

We will be happy to provide you with an EU representative free of charge. For more information about the tasks of an EU representative and on our free service for your company, click here.

Please note that you must publish the contact details of the EU representative. You can do this, for example, via your privacy policy.

You can find instructions on how to do this in the voucher/ticket shop here.

Directory of processing activities

Companies are obliged to document the processing of personal data. This requirement is based on, for example, Art. 12 of the FADP and Art. 30 of the GDPR.

The register of processing activities (ROPA) is one of the most important basic building blocks of data protection and is used, among other things, to be able to prove compliance with data protection provisions to a data protection authority.

The minimum content of a ROPA is the description of the relevant processing of personal/personal-related data with the following minimum content:

  1. Controller's name and contact details
  2. Purposes of the processing
  3. Legal basis of the processing
  4. Description of data subject categories
  5. Description of personal data categories
  6. Data recipients
  7. Deletion periods/deletion concept
  8. Description of technical and organisational measures
We have documented our processing operations; both in our role as controller and in our role as processor for our clients.

Businesses are required to assess the risk to the rights and freedoms of data subjects. If a significant risk cannot be ruled out, the business must carry out an extended risk assessment (see section below); this risk analysis is called a data protection impact assessment (DPIA).

Data protection impact assessment (DPIA)

The term "data protection impact assessment" (DPIA) refers to an extended risk assessment that must be carried out by companies in certain cases. This requirement is based on, for example, Art. 22 of the FADP and Art. 35 of the GDPR.

A DPIA is subject to far-reaching requirements, which is why – according to the GDPR – the company's data protection officer must always be involved.

Information requirements/data protection declaration

Companies are subject to far-reaching information requirements towards the data subjects. Data subjects can be, for example, users of the voucher/ticket shop, customers, newsletter subscribers and the company's own employees. This requirement is based on, for example, Art. 19 to 21 of the FADP and Art. 12 to 14 of the GDPR.

The information requirements are usually fulfilled via the company's data protection declaration.

For the data protection declaration, you can use the template from e-guma or enter your own data protection declaration. Find out here where you edit the privacy policy.

Find out how you can integrate your own data protection statement into the e-guma shop here.

The e-guma template is constantly updated and adapted to new circumstances. If your own privacy policy is entered, this automatic update will no longer happen.
Please note that a data protection declaration integrated in the shop must specifically describe the shop's specific processing. A copy of the data protection declaration from your homepage is usually not sufficient.

In addition to the pure information obligations (see para. "Information obligations/data protection declaration"), companies are subject to the requirement that consent must be obtained from a website user when using technologies that are not required. This requirement generally results, for example, from Art. 6 of the FADP and Art. 6 of the GDPR in conjunction with Art. 7 of the GDPR.

The ePrivacy Directive (Directive 2002/58/EC or Data Protection Directive for Electronic Communications) and various country-specific laws such as the German TTDSG (Telecommunications Telemedia Data Protection Act) define the rules for setting "cookies" and for protecting website visitors' devices.

Consent is required:

  • Cookies and similar technologies (local storage etc.) unless they are required for a website's operation (e.g. Facebook/meta pixel "_fbp").
  • Integrated third-party tools insofar as these send data to the third-party providers (e.g. Google Analytics). The strict requirements for the disclosure of personal data abroad are defined, for example, in para. 3 of the FADP (Art. 16ff FADP) and Chapter 5 of the GDPR (Art. 44 to 50 GDPR).
Our online shop provides you with a legally compliant and data-saving "Consent Banner".

Information about the configuration options of the "Consent Banner" can be found here.

Are you looking for a data protection expert?

Are you looking for an expert who can advise you on all data protection issues, draw up the necessary processes and documents and, if necessary, act as your data protection officer? 
Finding the right partner is a big challenge.We have good experience with IT.DS consultancy and can highly recommend it. You can contact their managing director Sven Meyzis ( info@itdsb.de) if you are interested.