As many of you know, in September will be enforced the new Swiss Personal Data Protection Law. As one the persons in charge of the websites (with e-commerce) for my employer, I am trying to figure out if there is a personal economic risk. The reason is that the law doesn’t punish the company, but the single managers, with a maximum fine of CHF 250’000.
Luckily my company is very serious about data protection and doesn’t stretch the rules, but my perception is that there is always a little risk, even in good faith, for example in relation to suppliers or very technical IT implementations that are difficult for me to verify.
How much worried should I be? Is there in your opinion a real risk of fines for a normal company operating in good faith? And if yes, are there any ways to reduce that risk? For example, is there a personal legal insurance that covers legal costs and also the possible fine?
Or am I worrying too much? Thanks for any thoughts on this topic.
I have way to many question for you, but to sum up a bit.
As you are the controller of your company, you should first of all contact a professional in this field in order to analyse if your company is up to date with the new FADP (Federal Act on Data Protection), because there are new rules that are a bit more harsh for the company, especially if you have 250 or more employees (if it is the case you need to provide a “Record of processing activities”).
Moreover, as the controller you should be aware about your processor that they also comply with the news rules Because if it is not the case, your company can be punished because one of your processor didn’t comply with the new rules.
Also, you should maybe update your notice of information in order to provide your clients informations about how their personnal data are used.
I would say that you should not worry if your company is already ready about the used of the personnal data of your customers and employees, but you should defenitly take advise to a professional and expose how you are running your company to identify the possible breach