The EU General Data Protection Regulation and other new privacy legislation are changing the landscape for Swiss companies active in the EU and have far-reaching consequences to internal and external business processes. Authors: Andreas Jaeggi and Rehana Harasgama
With the introduction of the EU General Data Protection Regulation (GDPR) on 25 May 2018, a new era for data protection has begun, and not only in the EU. The GDPR mainly focusses on more transparency and accountability on the side of companies processing personal data while providing individuals more control over their own data.
Over the past few years – the GDPR was enacted in 2016 but became applicable only two years later – there have been a lot of murmurs about how the GDPR will affect daily-business of companies in- and outside the EU such as in Switzerland. In fact, companies whose business models are often based on data processing raised a lot of questions as to the extraterritorial applicability and consequences of the GDPR.
However, not only the data protection law of the EU has been undergoing changes, but also Switzerland is revising its Data Protection Act (DPA), in an effort to align its data protection law with EU standards. The aim is to modernize current law – new technologies have long overtaken the assumptions the DPA was based on in the early 90s – and to ensure continued unhindered cross-border data flows to the EU. The revised DPA will probably take effect at the beginning of 2020, at the earliest, and it is expected to impose obligations similar to the GDPR.
Against this background, this blogpost sheds some light on what the next steps should be for Swiss companies dealing with the manifold new data protection obligations, in particular under the GDPR.
Do the new EU data protection laws affect Swiss companies?
In short, the answer is yes, they may well affect Swiss companies. In particular, the GDPR applies or may need to be considered by Swiss companies (or their EU subsidiaries/branches)…
- if a company with a subsidiary or branch in the EU offers services and/or goods to individuals in the EU through its subsidiary or branch,
- if a company directly offers services and/or goods to individuals in the EU, e.g. via its online shop,
- if a company processes personal data for a company based in the EU as part of an outsourcing arrangement, or
- if a company collects personal data by monitoring the behavior of persons in the EU, e.g. through web tracking.
The draft ePrivacy Regulation takes a similar stance. It is planned that it shall apply extraterritorially in certain cases too.
What are the consequences for Swiss companies?
Swiss companies subject to the GDPR (and in the future to the revised DPA and the planned ePrivacy Regulation) have more obligations with regard to transparency and accountability when processing personal data (and other data in electronic communications). In particular, according to the GDPR, companies must implement processes to…
- ensure privacy-by-design and privacy-by-default, i.e. consider and apply data protection from the outset of new business activities by means of technology and default settings,
- implement technical and organizational measures to protect personal data obtained from individuals (data security),
- inform individuals of the planned processing activities related to their personal data (e.g. type of data, purpose of processing, data transfers, automated decisions etc.) and obtain explicit consent, where necessary,
- document their processing activities and, under certain circumstances, carry out data protection impact assessments,
- notify supervisory authorities and, in certain cases, individuals of data breaches, and
- at all times be able to prove their compliance with the applicable data protection obligations (accountability).
Furthermore, data processors – companies processing personal data on behalf of another company (outsourcing) – have separate obligations under the new data protection laws. Especially, the distribution of rights and obligations between the company outsourcing processing activities (data controller) and the data processor have to be stipulated in a written contract.
The new legislation also brings new and innovative rights to individuals whose personal data is being processed. Thus, companies must implement processes for individuals to exercise their rights to access, information, erasure, data portability as well as their rights to restrict or object to any data processing.
As regards cookies on websites addressed to users in the EU, the current situation according to the GDPR together with the existing EU Cookie-Directive (but before the coming into force of the ePrivacy Regulation) is rather unclear and much debated. To be on the safe side, website operators should in any case obtain explicit consent at least for the use of third party advertising cookies.
For the changes under Swiss law, it is important to know that the main features of the revised DPA will presumably not defer a lot from the general principles and requirements of the GDPR to legitimately process personal data. Consequently, the new Swiss law will not bring too many changes to companies already compliant with the GDPR.
Finally, companies must be aware that they may face high fines if they do not comply with the new legislation, as the GDPR (as well as the draft ePrivacy Regulation) stipulates fines of up to 4% of global annual turnover or EUR 20 million in such cases. At the same time, it is not yet clear how and when such fines will be enforced across borders on companies based outside the EU. The proposed DPA also provides higher fines for non-compliance than in the past, however, not at the level of the GDPR (currently up to CHF 250,000). However, and contrary to the GDPR, under the DPA it is planned that fines will not be addressed against infringing companies but directly against the employees responsible for the infringement.
How to tackle the new era – next steps
Although the deadline to be “GDPR-ready” was set to 25 May 2018, many companies are still engaged with adjusting their personal data processing activities to being compliant with the GDPR requirements. Thus, being GDPR compliant currently is still a competitive advantage.
As neither the draft DPA nor the proposed ePrivacy Regulation are in force yet, Swiss companies falling under the GDPR do, for the moment, not have to take any further steps than the GDPR requires. In addition, even where GDPR applicability is unclear or only partial, it can make sense to take a global approach and implement GDPR compliant measures at this point in time and for all company processes, especially in view of the revised DPA.
In any case, all companies should at least follow the development and debates of both pending legislative changes (revised DPA and ePrivacy Regulation) with scrutiny and adjust accordingly if and when necessary. Furthermore, it is crucial for Swiss companies to not only be aware of the requirements they are facing, be it based on the GDPR or on the revised DPA and the ePrivacy Regulation, but to also act accordingly and prove they are making efforts to adjust their processes, systems and documents.
With the following five steps, EY can help your company to achieve a competitive advantage – now: