SWISS APPROVAL Certificate of Compliance

The SWISS APPROVAL compliance certificate is based on the requirements of the New European General Data Protection Regulation (GDPR), which was passed on April 27, 2016 and comes into force with significant changes compared to the previous applicable framework, which in turn will lead to operational changes in companies/organizations, structural requirements and changes in the information management culture.

In order to ensure full compliance with the new Regulation, both citizens and legal entities (organisations, companies, businesses) need to be adequately informed and, particularly in the case of businesses, should draw up and implement an action plan to fill any functional gaps in accordance with the new requirements of the legal framework.

The EU aims to strengthen the control of personal data by the citizens themselves, but also to define the principles for their retention and retrieval. Businesses/organisations have until May 2018 to prepare and fully comply with the new framework. To view the New Regulation in Greek click HERE.

Swiss Approval, through its specialised team of experts, provides the compliance verification service in accordance with the terms of the GDPR and can issue compliance certificates once all adaptations to the new regulatory framework have been achieved by the business/organisation concerned.

SWISS APPROVAL’s compliance certificates ensure that the Requirements of the Regulation:

• Have been developed and are available and adapted to the specific scope of work of the company,
• Are actually operational in the day-to-day running of the business,
• They are fully understood by the personnel involved, and finally,
• Recognition of the competence of the DPO, the so-called Data Protection Officer of the company, against the requirements of this Regulation, without the need for his allegedly “mandatory” training, since during the inspection his competence is identified by the Inspection Team, and his competence and necessary suitability is recognized against any third party, within the company.

Substantial changes in the market due to GDPR

 Companies will no longer have to deal with a bureaucratic plethora of different national regulations, but with uniform pan-European and predictable rules. This will, according to the European Commission, facilitate international digital transactions and expansion into other countries and new markets, especially for smaller companies. The rules will be the same for companies established in the EU and for those based outside the EU (e.g. the US) but which operate in the EU.

It is expected that the increase in consumer confidence resulting from the new data protection rules will ultimately benefit small and medium-sized companies in particular.

An opinion that is not entirely supported by us here at SWISS APPROVAL, as Google or other similar providers will now emerge as the exclusive communication channel of a company with its potential customers, since direct marketing, which used to favour the contact of small businesses with potential customers at low cost, will be significantly limited due to the restrictions on the use of personal data. The financially strongest now, who will spend the highest “Cost per Click”, will be ahead in market preferences, with the result that the viability of small and medium sized businesses and Product and Service distribution networks will be threatened in the future. 

The Certification of Businesses, against the requirements of the GDPR Regulation, and the Contribution to the sustainability and organization of the SME and Large Business.

Fortunately or not, the viability of an SME or even a larger business, in the long term, is nowadays dependent on its certification of compliance with the requirements of the GDPR Regulation.

As discussed above, SMEs will be faced with an increase in advertising and promotion costs for products and services, since the so-called Direct Marketing as we have known it until today will now be the main threat factor in the form of an industry of lawsuits from potential “affected” consumers, given the exhaustive amount of fines foreseen by the National Authorities.

The solution, however, does not lie in abandoning low-cost marketing, promotion and sales methods, but in shielding the business against the risks arising from the application of the Regulation, by emphasising the rational management of the existing customer base, and even targeting conscious consumers and mature socially aware citizens.

The Certification of Compliance with the provisions and requirements of the GDPR, is the European Passport for the safeguarding of Legal Entities, the support of international partnerships and, consequently, their sustainability.

The Inspection and Audit of Businesses by International Certification Bodies, ensures to a high degree, the actual adaptation of the Business to the requirements of the Regulation, and the effective and constructive adaptation measures applied, adapted to its object.

 In the first period of implementation of the Regulation, in the Greek market in particular, there is a chaos of offered consulting services, of dubious quality, and extremely high costs in most cases.

High cost, which is not commensurate with the actual level of expertise provided, since the so-called COPY/PASTE consultancy service is observed in a wide range of cases.

The reality in the coming period will be extremely unpleasant.

Enterprises that even spent high individual amounts to prepare themselves against the requirements of the GDPR Regulation will find themselves confronted with appeals from Individuals, and will be surprised to discover the so-called ” holes ” in the structured system of personal data protection that they apply.

The Inspection and Audit of businesses by Competent Certification Bodies, ensures to a high degree, the actual adaptation of the Business to the requirements of the Regulation, mainly through the identification of all kinds of “functional gaps”.

In this way, the effective and constructive adaptation of the requirements of the Regulation is achieved in a personalized manner to the Company’s business object,

---

10+1 Q&A, presented in a simple way, in order to understand the requirements of the GDPR Regulation and the role of Certification.

Significant changes will take place from Friday 25 May in Greece and other countries of the European Union, with the implementation of the new European General Data Protection Regulation.

Swiss Approval provides a general framework of information, which will help the visitor of our website to better understand the upcoming changes.

As part of our Corporate Social Responsibility, SWISS APPROVAL TECHNISCHE BEWERTUNG has permanent legal and technical staff to provide clarifications exclusively to Legal Persons, regarding issues of Interpretation of the Regulation and the advantages of the Certification of Legal Persons in the context of its implementation.

1. 1. What does the new Regulation concern and who is covered by the new Regulation?

The new EU General Data Protection Regulation (GDPR) regulates the processing by Natural Persons, Companies or Organisations of personal data relating exclusively to Natural Persons (and not companies) within the EU.

It is expressly stated that the processing of personal data of deceased persons or legal entities is not subject to this Regulation.

2. 2. When will the Regulation not apply?

The new rules will not apply to data processed by an individual for strictly personal reasons or for activities carried out at home, provided they are not connected with a professional or commercial activity. They will not apply if, for example, an individual uses their private address book to invite friends by email to a party they are organising (the household activities exemption applies).

3. 3. What is considered personal data?

Personal data is information about an identified or identifiable living individual. Different information which, if put together, can lead to the identification of a specific individual, is also personal data.

Personal data which have been rendered anonymous, encrypted or for which pseudonyms have been used, but which can be used to re-identify an individual, remain personal data and fall within the scope of the GDPR.

Personal data that have been rendered anonymous so that the individual is not identifiable are no longer considered personal data. For data to be truly anonymous, the anonymisation must be irreversible.

The GDPR protects personal data irrespective of the technology used to process them. It is technology neutral and applies to both automated and manual processing. It also does not matter how the data is stored – in digital or paper form.

4. 4. Which are typical examples of personal data and which are not?

– First and last name,

– The address of residence,

– Identification number,

– The Personal E-mail address,

– The bank card identification number,

– The location data (e.g. GPS on a mobile phone),

– The Internet Protocol (IP) address; and,

– The health data held by a hospital or doctor.

Examples of data that are not considered personal are the company registration number, the company email address of the type “info@company.com” and any kind of anonymous data.

5. 5. What constitutes data processing?

The term “processing” covers a wide range of operations carried out on personal data, either by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, association or combination, restriction, erasure or destruction of personal data.

Examples of processing include:

– Personnel management and payroll,

– Accessing/searching information in a contact database that includes personal data,

– The sending of promotional emails,

– Publishing/posting a photograph of an individual on a website,

– Storing IP addresses, and,

– Filming with a closed circuit television.

6. 6. Will users see changes on the Internet after 25 May 2018?

Undoubtedly not noticeable.

A change for those living in the EU will be seeing fewer online ads “following” them after an online purchase. With the new rules, it will become more difficult for targeted online advertising that takes users “by the foot” from website to website they visit, as it will be harder for companies to collect and sell information about users’ online habits after getting their permission. Thus, online advertising in Europe will tend to become more generic, like that on TV, rather than as targeted as in the US.

7. 7. What will be the new rights of users?

– They will have the right to receive clear and understandable information about who is processing their personal data and why.

– They will be able to ask all companies for access themselves and find out exactly what data companies hold about them.

 – They will also have the right to ‘opt-out’, meaning that if they want, they can demand that this data be deleted from companies’ databases. This will not just apply to tech companies (e.g. Facebook or Google), but banks, retail outlets and any other company or organisation that holds personal data, including employers. For example, it will be possible, if you are not a public figure, to ask a search engine (e.g. Google) to delete links, such as a newspaper article, that refer to a personal past affair.

Conversely, if online personal data is lost or stolen, the company must within 72 hours inform the individual and, if it fails to do so, risks a fine. If a person has suffered a loss, they can also seek compensation by taking legal action. Given the frequent cyber attacks by hackers against companies, the importance of this right is clear.

If a citizen-user suspects that there is an abuse in the collection of data concerning him or her, he or she can appeal to the competent national data protection authority, which is obliged to investigate the matter. Citizens can also take collective action against a company, which has so far been uncommon in Europe, unlike in the US.

Citizens’ organisations can bring actions on behalf of groups of citizens. If one case is won, it is expected that a legal precedent will be set for other cases, which will force companies to take the issue of privacy more seriously.

The right to “data portability” is also given, meaning that a person’s data will not be allowed to be “locked” to a company or service provider. Companies are required to allow a consumer user to “download” their personal data and transfer it to a competing company, whether it’s financial data from bank to bank, or transferring a song playlist from Spotify to a competing music streaming service.

8. 8. Do consumer users understand what is happening?

Most people don’t, unfortunately.

Already several companies are informing users by e-mail and other means about their new policy on personal data, but the law requires the terms to be written simply and not legally, which is often not the case. Also, companies must give everyone the option to block the collection of information about them. But often users give their consent in haste, without understanding and without taking advantage of the new possibilities they have.

9. 9. Apart from users, do companies have anything to gain from the new rules?

Companies will no longer have to deal with a bureaucratic patchwork of different national regulations, but with uniform pan-European and predictable rules.

This will, according to the European Commission, facilitate international digital transactions and expansion into other countries and new markets, especially for smaller companies. The rules will be the same for companies established in the EU and for those based outside the EU (e.g. the US) but operating in the EU.

It is expected that the increase in consumer confidence resulting from the new data protection rules will ultimately benefit small and medium-sized companies in particular.

10. 10. How effective will the new Regulation be in practice?

It is too early to assess, it may take years.

Much will depend on how strictly the National Supervisory Authorities will apply the new rules. Unfortunately, a recent Reuters survey of EU country regulators concluded that many of these independent bodies are not yet ready.

Media reports also indicate that massive complaints from natural persons to the respective National Authority for violation of the provisions of the Regulation are foreseen, and this will be the trigger for stricter compliance with the Regulation by companies, but also for the National Authorities themselves to be well prepared, since 17 of the 24 Authorities that responded to questions on the subject stated that they either do not have the necessary funding, sufficient staff or the necessary powers to implement the new rules.

10 + 1.Fortunately or not, the viability of an SME in the long term depends on its certification of its compliance with the requirements of the GDPR Regulation.

In Question 9 above, we analysed the reasoning according to which SMEs will be faced with an increase in advertising and promotion costs for products and services, since the so-called Direct Marketing as we have known it until today will now be the main threat factor in the form of an industry of lawsuits from “aggrieved” consumers, given the exhaustive amount of fines foreseen by the National Authorities.

The solution, however, is not to abandon low-cost marketing, promotion and sales methods, but to shield the business against the risks arising from the application of the Regulation.

And the GDPR Certification is the European Passport to the survival of legal entities.

In the first period of implementation of the Regulation, in the Greek market in particular, there is a chaos of offered consulting services, of questionable quality, and extremely high costs in most cases.

High cost, which is not commensurate with the actual level of expertise provided, since the so-called COPY/PASTE consultancy service is observed in a wide range of cases.

The reality in the coming period will be extremely unpleasant.

Enterprises that even spent high individual amounts to prepare themselves against the requirements of the GDPR Regulation will find themselves confronted with appeals from Individuals, and will be surprised to discover the so-called “holes” in the structured system of personal data protection that they apply.

The Inspection and Audit of companies by Competent Certification Bodies, ensures to a high degree, the actual adaptation of the Company to the requirements of the Regulation, and the effective and constructive adaptation measures applied to its object.

The SWISS APPROVAL Certification is the essential guarantee for an enterprise that the requirements of the regulation:

• Have been developed and are available and adapted to the specific scope of business of the company,
• They actually work in the day-to-day operations of the business,
• They are fully understood by the personnel involved, and finally,
• Recognition of the competence of the DPO, the so-called Data Protection Officer of the company, against the requirements of the regulation in question, without the need for his allegedly “mandatory” training, since during the inspection his competence is identified by the Inspection Team, and his competence and necessary suitability within the company is recognised against any third party.