General Data Protection Regulation

1. Initial position
The General Data Protection Regulation (GDPR) of the European Union entered into force on 25 May 2018. However, the GDPR does not only apply to companies with their seat in Europe. Swiss companies may also fall within the purview of the GDPR.

2. What Swiss companies are affected?
On the one hand, those Swiss companies are affected that have a branch in one of the EU member states. But the GDPR also applies beyond the territory of the EU. The GDPR likewise applies to all companies outside the EU if they process data of persons resident in the EU in order to offer them goods or services or if the data serves to observe the behaviour of persons, for example through data analysis of website visitors from the EU.

3. Most important new developments
Companies in Switzerland affected by the GDPR have to comply with the new data protection regulations. Some easing of the requirements for smaller companies is permitted.
The new data protection regulations cover the following obligations in particular:

  • obligation to deploy an internal or external data protection officer;
  • privacy impact assessment, i.e. introduction of a prior internal review if data processing operations involve high risks for the rights of the data subjects;
  • introduction of the right to data transferability for users (data portability);
  • right to erasure;
  • designation of a data protection officer with seat in the EU;
  • tightened requirements on information obligations and obtaining the consent of the data subjects;
  • guaranteeing privacy by design and privacy by default.

4. Check need for action and implement measures
The new GDPR is directly applicable to many Swiss companies. Consequently, checking the need for action and implementing any measures is vital. Non-observance of the new EU data protection regulations is subject to the imposition of heavy fines (4% of turnover or up to a maximum of € 20 million, depending on which amount is higher). Examination and modification of the general terms and conditions of business, contracts, data protection guidelines, the homepage and other IT applications take pride of place here.