Both Switzerland and the EU will introduce new and far stricter data protection rules that will apply to virtually all companies that process personal data of customers and/or employees. Moreover, both the new Swiss and EU data protection regulations have a broad international scope, which could mean that you will have to comply with both. While the new Swiss rules are expected to enter into force on 1 August 2018, the revised EU regime will be applicable as from 25 May 2018. What should Swiss and EU businesses do to prepare for the new Swiss and EU regulations, knowing that non-compliance may result in severe sanctions?
Your safest approach will be to comply with the highest standards of both the revised Swiss Federal Act on Data Protection (D-DPA) and the EU General Data Protection Regulation (GDPR). Our Swiss and EU data protection experts will show you in a series of short articles how you can comply with the most relevant requirements under the D-DPA and GDPR.
Broad geographical scope of the new rules
Let’s first take a look at the territorial scope of the D-DPA and GDPR.
Unlike the GDPR, the D-DPA does not contain any provision regarding its territorial scope. In case civil proceedings are raised in Switzerland against any non-Swiss entity for personal data infringement, Swiss courts will apply the Swiss conflict of law rules. Pursuant to these rules, the D-DPA will generally apply to any non-Swiss data controller or data processor, interacting with persons (data subjects) that reside in Switzerland. Also if the place of effect of a personal data infringement is located in Switzerland, the D-DPA may be applicable.
The GDPR, for its part, contains a clear text on its own territorial scope.
The GDPR will apply in the following cases:
- If your company is established in the EU (regardless of whether the data are processed in the EU or not)
For example, an IT company having its registered office in Belgium is storing personal data on servers based in Switzerland. In that case, the GDPR will apply to the Belgian company because the company is established in the EU. It is not relevant that the processing is factually taking place in Switzerland (outside the EU).
- When your company is not established in the EU, but (i) offers goods or services to individual(s) in the EU, or (2) monitors the behaviour of individual(s) in the EU.
For example a bank having its registered office in Switzerland also offers its financial services to any individual living in the EU and, as such, processes the personal data of customers who are living in the EU.
Some other examples in which GDPR will or may be triggered if your company is (only) established in Switzerland:
- Your company is working closely with an EU sales agent or EU subsidiary that enables you to sell your products or services to EU customers (note: also in case of B2B);
- Your company has a website on which EU customers are targeted to buy your products or services;
- Your company's HR administration is managed by your EU based parent company (even if it concerns Swiss employees);
As you can see, the GDPR has a very broadly defined international scope, and although the DPA does not include a similar provision, its scope may extend beyond Swiss borders since it follows the Swiss conflict of law rules.
How do the D-DPA and the GDPR compare?
The D-DPA is largely similar to the GDPR with respect to its content. However, some differences remain. In particular, the following topics are treated differently:
- the GDPR contains more stringent requirements regarding the consent of the data subjects;
- the GDPR provides for more rigid requirements regarding data breach notifications;
- a right of data portability applies under the GDPR but not under the D-DPA;
- the D-DPA has a broader definition of what should be considered ‘sensitive data’;
- under the D-DPA, the information rights of data subjects are sometimes higher, sometimes lower than under the GDPR;
- the D-DPA seems to be stricter regarding the threshold leading to the obligation of a data protection impact assessment; and
- last but not least, the sanction systems for infringement of the law are totally different under GDPR (higher fines) and D-DPA (lower fines, but criminal sanctions against individuals).
Importance of complying with the GDPR and D-DPA
Data protection compliance has become a boardroom topic, mainly because of severe sanctions in case of non-compliance (under the GDPR: fines as high as EUR 20 million or 4% of the annual worldwide turnover).
Especially if you are doing business with EU customers, you need to bring your data protection and exchange processes in line with the detailed GDPR and D-DPA obligations. As GDPR can be considered amongst the highest data protection standards, GDPR compliance could be a business opportunity and competitive advantage, making your business dealings and the exchange of data involving the EU smoother and easier.
As the GDPR will be applicable next May 25, it is time to actively prepare for it.
To help you in this compliance exercise, we will delve deeper into each of the essential GDPR topics in a series of articles that we will publish over the next weeks.
Our Swiss / EU Team can help you
The Loyens & Loeff Data Protection & Privacy Team consists of Swiss and EU experts providing integrated legal advice on a wide variety of complex privacy and data protection related matters relating to various sectors. Our team has particular expertise in setting up frameworks for the processing of personal data, either by analysing existing business tools, or by providing legal guidance on the development of appropriate tools. We regularly conduct in-house compliance assessments and draft legal documents such as privacy policies, data processing agreements, compliance policies and guidelines, both under the current legal regime and under the GDPR/D-DPA.
Our expertise on the current and future legislative framework in both Switzerland and the EU makes it that we are uniquely positioned to also assist companies based outside the EU on their road to GDPR/D-DPA compliance.