Switzerland: EU General Data Protection Regulation: Implications For Swiss Businesses

Last Updated: 22 March 2018
Article by Oliver Kunzler and Martina Braun

The EU GDPR does not confine itself to harmonise national legislations and reaffirm current EU data protection principles, but rather enhances data protection rights in significant parts. This also impacts on Swiss data protection legislation, which will need to be revised and amended in line with EU standards. 

Introduction

The EU GDPR was adopted on 27 April 2016. A two-year transition period for implementation was granted, ending on 25 May 2018. From this date, the EU GDPR will apply immediately and, in principle, uniformly across all EU member states. However, member states are allowed a degree of latitude in enacting the relevant national implementing regulations.

Applicability of the EU GDPR to Swiss businesses?

As regards its personal scope, the EU GDPR applies both to the parties res- ponsible for making decisions as to the purposes and means of processing data ("controllers") and those responsible for processing data on behalf of a controller ("processors").

In terms of its material scope, the EU GDPR makes no distinction with regard to the volume of data or type of personal data processed. However, the protection afforded by the EU GDPR does not extend to the data of legal entities. Moreover, the EU GDPR does not apply to data processed in the course of a personal or household activity.

All natural persons within the EU shall be able to claim protection under the EU GDPR. Accordingly, the territorial scope of the EU GDPR also extends to controllers and processors that are not established in the EU, but supply goods and services to data subjects within the EU and process their personal data in this context. The same applies to undertakings that are not established in the EU but record and analyse the behaviour of data subjects (e.g. businesses engaged in web tracking).

Moreover, the EU GDPR applies to the processing of personal data in the context of the activities of an establishment in the EU, regardless of where the data proces- sing takes place. This would be the case, for instance, if a Swiss data centre were to perform operations for clients based in the EU, or if a Swiss parent company were to process client data for a subsidiary with a registered office in the EU for the pur- pose of supporting its business activities.

In light of the above, many Swiss busi- nesses will fall within the scope of the EU GDPR.

Overview of the EU GDPR

The processing of personal data is only lawful under the EU GDPR if the data subject has given valid consent or if any of the other prerequisites set out in the Regulation apply (e.g. performance of a contract, compliance with a legal obligati- on, pursuit of legitimate interests).

The EU GDPR imposes stringent require- ments for obtaining valid consent from data subjects. Consent must be freely given, informed and requires for each individual case an unambiguous indication of the data subject´s wishes in the specific circumstances by way of a clear affirmati- ve action. An implied consent is no longer sufficient (consent must be given through clear affirmative action, e.g. by clicking a button). Moreover, the data subjects have the right to withdraw their consent at any time.

The EU GDPR attaches the utmost impor- tance to the principle of transparency. It gives expression to this principle by setting out comprehensive obligations to provide information and to grant access rights. Controllers must provide information on their identity as well as contact details and, where applicable, the contact details of the controller's representative and/or its data protection officer. It must be indicated what data will be collected and processed, the purposes of the processing, and the period for which the personal data will be stored. Where applicable, information must be provided on the recipients of the data and on the transfer of data to a non- EU or non-EEA country. In addition, data subjects must be informed of their right to request access to and rectification or erasure of their personal data, their right to object to processing, and their right to lodge a complaint with a supervisory au- thority. This information must be concise, easily accessible and easy to understand, and written in clear and plain language. Additionally, visualisation may also be used.

Revision of the Swiss Data Protection Act

On 15 September 2017, the Federal Council submitted its message con- cerning the complete revision of the Swiss Data Protection Act (DPA) and the relevant draft bill.

The key objective is to update the DPA and align the Swiss legislation with the EU data protection law. More specifically, it is intended to facilitate ratification of the revised Council of Europe Convention ETS No. 108 and adoption of EU Directive 2016/680 on the protection of natural persons with regard to the processing of personal data in relation to criminal matters. Switzerland must implement this Di- rective to comply with its obligations under the Schengen Agreement. A further aim is to achieve convergence with the EU GDPR, thus ensuring that Switzerland continues to be recog- nised as a non-EU country providing an equivalent level of data protection on the basis of a so-called "adequacy decision" by the EU. Securing such an adequacy determination is crucial for the Swiss economy.

Pursuant to the draft bill, the rights of data subjects shall be reinforced (enhanced transparency  obligations, more stringent requirements for obtaining valid consent, and requirements pertaining to data protection by default). It is also intended to promote self-regulatory measures, extend the powers of the Swiss Federal Data Pro- tection and Information Commissioner  (FDPIC), and tighten up the penalty provisions.

Although the draft bill must first be debated by Parliament, it is reasonably likely that the DPA  will be aligned with the EU data protection law.

In addition to the above rights, all data subjects have the right, subject to certain conditions, to request personal data concerning them to be transmitted in a structured, commonly used and machine- readable format (right to data portability).

Along with the data processing principles currently in effect, the EU GDPR establi- shes the notion of accountability of cont- rollers. From now on, anyone processing personal data should not merely comply with data protection rules but also be able to demonstrate compliance. It follows from this principle of accountability that records of all data processing activities have to be kept. Only businesses employing fewer than 250 persons, which only process data on an occasional basis, are exempted from this requirement, unless the processing activities present serious risks or involve sensitive personal data.

Businesses not established in the EU, which supply goods or services within the EU or monitor the behaviour of persons within the EU, must appoint an EU repre- sentative unless the data processing (i) is only occasional, (ii) does not include sensitive personal data, and (iii) does not involve any special risk. The EU GDPR also introduces the requirement to designate an internal data protection officer in certain circumstances. This will apply, in particular, if the core activities of an enterprise con- sist in the regular and systematic monito- ring of data subjects or the processing of sensitive data on a large scale.

Furthermore, the EU GDPR requires the implementation of appropriate technical measures that meet the principles of data protection by design and data protection by default (e.g. data minimisation, pseudo- nymisation).

Where the processing of data is likely to pose a high risk to data subjects, a data protection impact assessment must be carried out. Such an assessment must include, inter alia, a description of the data processing operations envisaged, an assessment of the risks involved, and a list of the measures in place to address such risks.

There is an obligation to report and communicate any personal data breaches. As a general rule, controllers must report any breaches to the supervisory authority without delay and not later than 72 hours after having become aware of the breach, unless the breach does not pose a risk to the rights and freedoms of data subjects. Any data breach that entails a high risk for data subjects must be communicated to the data subjects concerned. In any case, all instances of breach and the relevant measures taken must be documented.

The supervisory authorities to be designa- ted by each member state have considerably broader powers than those conferred to the Federal Data Protection and Information Commissioner (FDPIC).

Provided that this has not been done yet, it is time for every business in Swit- zerland to evaluate whether actions need to be taken regar- ding the EU GDPR and if so, to imple ment the required measures.

Among other things, supervisory autho- rities will have the power to impose fines as administrative sanctions (up to EUR 20,000,000 or 4% of the total worldwide annual turnover for the preceding financial year).

Measures to be taken

All Swiss-based businesses, regardless of size, need to establish whether they are affected by the EU GDPR. If this is the case, it will be necessary to identify which personal data is collected and processed and ascertain where, by whom and how the data is collected and processed and for what purposes. The data protection mea- sures and procedures in place must also be documented.

Businesses will subsequently need to establish which data protection rules apply, whether they need to comply with these, and identify any gaps that need to be addressed. Following a risk-based approach, the necessary measures must then be implemented. These may include, for example:

  • measures regarding the provision of information (e.g. privacy statement);
  • entering into or amending agreements with processors;
  • assessing the legal basis for data processing;
  • obtaining the consent of data subjects where required;
  • establishing internal procedures to safeguard the rights of data subjects (right to obtain and access informati- on, right to have information rectified or erased, and right to object);
  • technical and organisational protec- tion measures;
  • documenting data processing activities;
  • implementing the necessary procedu- res regarding data breaches;
  • conducting data protection impact assessments, where required;
  • designating a data protection officer and/or EU representative, where required.

Finally, it will be necessary to ensure that any measures and procedures established are implemented and maintained on an ongoing basis. To this end, it is essential to (i) designate responsible officers within the organisation, (ii) ensure that such officers have adequate resources, and (iii) raise awareness of data protection issues in general.

Outlook and practical recommendations

The EU GDPR affects many Swiss businesses. Efforts are also underway to achieve convergence between the Swiss Data Protection Act and EU data protection law. It is therefore advisable for all Swiss businesses to review their procedures and measures in relation to data processing.

In order to ensure that the steps described above are implemented as effectively and efficiently as possible, it is beneficial to set up a task force. The task force should include personnel from IT, Legal & Compliance and HR as well as the parties responsible for processing data, and must be given all necessary resources. Finally, it is essential to integrate any key decision-makers into the process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
MME Legal | Tax | Compliance
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
MME Legal | Tax | Compliance
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions