1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Understanding Data Security, GDPR and LPD
This guide covers data protection regulations in Switzerland and Europe and the measures taken by Infomaniak to secure your customer data and data within Web Hosting and Mail Services.
Understanding the difference between data security and data confidentiality
Data security aims to prevent any unauthorized access to your information. It relies on measures such as encryption, firewalls, or VPNs. A security breach can have disastrous consequences: imagine if a hacker steals your entire customer database and demands a ransom to recover it. This type of attack β ransomware β can paralyze a company overnight.
Data confidentiality concerns who can access your information and how it is used. Even if your data is secure against hacking, it can be collected, analyzed, and resold⦠legally.
Example: you carefully store your customers' information, but unbeknownst to you, a service you use shares β anonymously β this data with third parties. Result? Your competitors can obtain valuable analyses of your market and target your own customers without ever needing to hack.
LPD & GDPR
In Switzerland, the LPD (Federal Data Protection Act) and nLPD (for the "new Law" in effect since September 2023) protect the confidentiality of residents by regulating the collection and processing of personal data by organizations.
On the other hand, the GDPR (General Data Protection Regulation) of the EU, in effect since May 2018, influences global companies processing the data of European residents, including in Switzerland. While the LPD applies to the data of Swiss residents, the GDPR concerns that of EU residents. Swiss companies managing European data must comply with the GDPR requirements, including the designation of a Data Protection Officer and the conduct of Impact Assessments in case of risky processing.
Your role as an Infomaniak Client
Regarding the hosted data that belongs to you and if this concerns the personal data of your visitors, contacts, and customers, it is your responsibility to ensure compliance.
When processing this personal data, it is important to inform users about how and why the data is being processed. This is usually done through a privacy policy/statement, a DPA.
Agreement between data controller and processor
A DPA (Data Processing Agreement), known in German as AVV (Auftragsverarbeitungsvertrag), in Italian as ATD (Accordo di Trattamento dei Dati), and in Spanish as CTA (Contrato de Tratamiento de Datos), translates to Data Processing Agreement or Personal Data Processing Contract.
This is a mandatory contract provided by the GDPR between a data controller and a processor. It defines the purpose, duration, and nature of the processing, as well as the obligations and security measures. Its objective is to protect the personal data entrusted to a service provider.
This GDPR certificate (in PDF format) can be generated and downloaded from the Manager (accessible to organization users who are owners or administrators):
- Click here to access DPA management on the Infomaniak Manager (need help?).
- Click on the Generate button to download the custom PDF document:
Here are some tips on this subject:
- Inform about all data processing, not just those related to the website.
- Ensure easy access to the privacy statement on the website, for example in the footer of each page.
- In general, it is not necessary to obtain user approval for privacy statements (e.g., for forms); it is sufficient to indicate where to find the statement (example Site Creator).
- Keep in mind that new, more in-depth information rules may require adjustments to existing privacy statements.
It is crucial to differentiate between the security of the infrastructures where your data is hosted and the management and implementation of your data on your side. As a host, Infomaniak acts as a subcontractor for your GDPR obligations. In this context, its privacy policies and cookie usage, as well as its terms and conditions, provide the necessary guarantees regarding its compliance as a subcontractor.
If necessary, you can find professionals or online guides to help you in the compliance process.
Infomaniak's Role
Like companies that work with user data, Infomaniak must comply with the LPD and because among these users there are European citizens, the GDPR as well:
- the data privacy policy details the data that Infomaniak retains to provide and execute its services
- the policy related to the protection of your personal data describes Infomaniak's commitments as a subcontractor that hosts all of your data, including personal data
These commitments, transcribed in the general terms and conditions and specific terms and conditions, are as follows:
- keep your data within data centers exclusively located in Switzerland and never transfer your information outside these infrastructures
- apply rigorous security standards and constantly improve processes to guarantee you a high level of security across all services
- promptly inform you in case of a breach of your data
- ensure transparency with you when Infomaniak uses subcontractors who may process your data
- strengthen and develop physical security measures to prevent any unauthorized access to the infrastructures where your data is stored
- implement physical and/or logical isolation systems (depending on the services) to separate the hosting of different clients; moreover, Infomaniak performs annual penetration tests to ensure data integrity between clients
- demonstrate a high level of reactivity in the secure updating of systems under its responsibility
Manage the cookies of the site infomaniak.com
When you visit the page infomaniak.com a choice must be made for the acceptance of certain cookies. To modify this choice later, access your preferences from the bottom of the site's page: