Author: Anja Schmitz, Senior Consultant & Partner at Projektas
A privacy policy is more than just a mandatory document – it’s a key component of a company’s legal transparency. In practice, though, there is still plenty of room for improvement here. Carelessness or a copy-paste mentality can quickly become expensive. We’ll show you what to look out for.
1. Providing false information is not a trivial offense
According to Art. 60(1) of the Swiss Federal Act on Data Protection (FADP), even merely providing incorrect or incomplete information is considered a breach of duty. In other words: if the privacy policy states that Google Analytics is used or that personal data is not transmitted abroad, for instance, even though this is not true or important information about e.g. the cookies used is missing, this statement is deemed to be false. This can result in natural persons (e.g. the company’s management or data protection officers) being hit with a fine of up to CHF 250,000.
Frequently, this situation arises because people simply copy other companies’ privacy policies from the internet without paying attention to the specific circumstances in play at their own company.
2. Using the right legal basis
Another stumbling block: lots of companies adopt privacy policies from the EU, even though they are exclusively subject to Switzerland’s FADP. The problem here is that nobody has checked beforehand to see which data protection laws apply in the first place. Swiss companies also frequently use GDPR-focused privacy policies – but fail to add the information required under the Swiss FADP. Although the FADP is heavily based on the GDPR, there are some specific requirements that only apply under the FADP and are not explicitly mentioned in the GDPR, and vice versa. In addition, it is important to consider not only the GDPR, a well-known piece of legislation, but also cantonal data protection laws. If a private company or organization fulfills a public task on behalf of the canton or municipality, the canton’s data protection laws may also apply to this sub-area.
As a result, it is strongly recommended that you check which data protection requirements apply to your company before drafting a privacy policy.
3. One privacy policy for the website alone is not enough
Many companies limit themselves to putting a privacy policy on their website. While there’s nothing wrong with that per se, they often only publish one privacy policy focusing on their website’s content. However, this falls short of the mark: according to Art. 19 FADP, the duty to provide information applies to all processing operations – i.e. to the entire company. There are two sensible approaches to this:
- The holistic solution: this entails creating a comprehensive privacy policy that covers all data processing within the company, including on the website and by cookies. The pro is that you only need to maintain one central document. The con is that depending on the complexity of the company’s different data processing operations, the document can end up becoming very extensive – and needs to be presented in a structured way.
- The modular solution: this involves drawing up individual privacy policies for different target groups and data processing operations, e.g. one privacy policy for website visitors, one privacy policy for applicants and one privacy policy for customers. The upside of this solution lies in the fact that the privacy policies are generally shorter and clearer. The downside, however, is that you need to make sure that the relevant privacy policy is easily accessible for each group of recipients. Plus, you need to maintain multiple documents.
- Please note: no matter which solution you choose, each privacy policy needs to be sufficiently transparent, correct and complete – and customized to take the company’s actual data processing operations into account.
Conclusion
A privacy policy is not a tedious, mandatory piece of text, but a legally relevant document and a tool that satisfies your obligation to provide information. If you cut corners in this respect, you risk losing your customers’ trust – and incurring hefty fines. Careful review, individual customization and a clear structure are essential. Not sure whether your privacy policy meets the requirements? Or have you realized that you copied and pasted its contents? If so, it’s worth arranging a professional review – before it becomes expensive.
And one more tip: refresh your privacy policy regularly, as your data processing operations or the technologies used may change. You should update it at least once a year.
Have your privacy policy reviewed now
Want to make sure that your privacy policy ticks all the boxes? Then make the most of a professional review by Projektas!
Offer: Privacy policy review for CHF 299 with coupon “DSE-Check@DataStore”.
How to redeem: Email , subject “DSE-Check@DataStore”. The offer is limited to seven coupons, one per company. Only Swiss companies with a German-language, FADP-aligned privacy policy are eligible.
Service: Written evaluation of completeness and transparency (compliance check). A revised privacy policy will not be provided and no legal advice will be issued.
Process: Projektas will contact you to ask a few brief questions and, in so doing, will process your data. You will then receive a discounted quote. Work will begin after the quote has been accepted. Delivery date by arrangement.
Have your privacy policy reviewed now
Offer: Privacy policy review for CHF 299 with coupon “DSE-Check@DataStore”.
How to redeem: Email , subject “DSE-Check@DataStore”.
The offer is limited to seven coupons, one per company. Only Swiss companies with a German-language, FADP-aligned privacy policy are eligible.
Service: Written evaluation of completeness and transparency (compliance check). A revised privacy policy will not be provided and no legal advice will be issued.
Process:
- Projektas will contact you to ask a few brief questions and, in so doing, will process your data.
- You will then receive a discounted quote.
- Work will begin after the quote has been accepted.
- Delivery date by arrangement.