Business site and data protection
An e-commerce website must process the data collected about its customers transparently and securely.
Federal Data Protection Law
Swiss companies that process personal data are subject to the new Federal Data Protection Law. This law will come into force on September 1, 2023.
With this in mind, SMEs should check whether the data protection declarations on their e-commerce site comply with the new legal requirements. They must take into account a certain number of new features such as the introduction of the obligation to inform in advance of the collection of all personal data (and no longer only so-called sensitive data) or the principles of "Privacy by Design" and "Privacy by Default".
As its name implies, the principle of "Privacy by Design" requires developers to integrate the protection and respect of users' privacy into the very structure of the e-commerce site that collects personal data. The principle of "Privacy by Default" ensures the highest level of security as soon as the site is launched, by activating by default, i.e. without any intervention from users, all the measures necessary to protect data and limit their use. In other words, all software, hardware and services of the e-commerce site must be configured to protect data and respect the privacy of users.
A checklist is available on the SME Portal, as well as various other content on the website of the Federal Data Protection and Information Commissioner (FDPIC).
Data protection recommendations
As far as data protection is concerned, traders are strongly recommended to adopt the following practices:
- Provide a data protection declaration on the e-commerce website (see below).
- Implement user authentication techniques (e.g. SuisseID) and data encryption (secure connection, https).
- Only ask customers for essential information. Irrelevant questions generate mistrust.
- Clearly indicate the personal data used and the purpose.
- Give the user the right to limit the use made of their data and with whom it is shared (consumer profile, advertising).
The remit of the Federal Data Protection and Information Commissioner (FDPIC) is to explain the Data Protection Law and offer its recommendations in this area.
Data protection declaration on an e-commerce site
On an e-commerce website, a data protection declaration is used to communicate the methods put in place to protect user privacy. To win customer confidence, traders are recommended to have such a document and display it in an easily accessible part of the website.
The data protection declaration must contain the following points as a minimum:
- To which legal provisions is the service-provider’s practice subject in terms of data processing?
- Which personal data is collected and for what purpose?
- Which personal data is communicated to third parties and for what purpose?
- What choices is the user offered in terms of the processing of their data?
- What rights (particularly right of access and right of correction) do users have?
- Which department is responsible for answering questions about data processing?
- Which security measures are applied to protect personal data?