The scope of application for the new EU regulation on data protection, which enters into force on 25 May 2018, is so wide-reaching that numerous Swiss companies may be affected. Presentation of the main challenges
The new European General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 across the entire European Union (EU). In certain cases, this regulation may also apply to companies headquartered in Switzerland.
It is important that companies that may be affected by this reform start to look into it immediately. If they are indeed impacted by the reform, they should check the compliance of their internal procedures, guidelines, contracts and confidentiality agreements, amongst others. Significant financial penalties are to be expected should the regulation be violated.
Which companies are affected?
Swiss companies will have to respect the GDPR if they handle personal data for individuals located within the EU and if data handling activities are linked to:
- Offering goods or services to these individuals (irrespective of whether payment is required).
- Monitoring the behaviour of these individuals: regarding behaviour within EU member states (art. 3 para. 2 let a and b GDPR ).
To determine whether the activities of a company headquartered outside of the EU fall under the scope of the GDPR, legal advisors should analyse whether there is an intention to sell goods or services within the EU. Various factors can be studied (for example, if reference is made on the web site to clients located in member states or to a currency that is legal tender within the EU). Under art. 3 para. 2 let. b GDPR, these legal experts can analyse if there is a clear desire to monitor the behaviour of individuals in the European area (for example, by monitoring the use of profiling techniques or Google Analytics).
What should the companies affected do?
As of 25 May 2018, the Swiss companies impacted by the new EU regulation should comply with the following obligations:
- Obtain the consent of and inform the person whose data will be processed.
- Ensure Privacy by design and Privacy by default.
- Appoint a representative within the EU.
- Keep a register of data processing activities.
- Declare any data breach to the supervisory authority.
- Perform a data protection impact assessment.
The fines that companies have to pay in the event of a data breach can amount to up to 4% of the worldwide annual turnover in the past financial year.
It should also be noted that the Swiss version of the GDPR, a new Federal data protection law, is in the pipeline. Companies that will have already adapted to comply with the GDPR will have saved themselves some time vis-à-vis the implementation of the Swiss version when this comes into force.
This article in not exhaustive. For more information on the GDPR, please use the links below.
Source: The European Union’s General Data Protection Regulation – What Swiss companies need to know, Kellerhals-Carrard newsletter , Zurich (25 May 2017)
With the help of the Federal Office of FOJ (August 2017)