The EU General Data Protection Regulation (GDPR) will apply from May 25, 2018. The more stringent requirements for the handling of personal data will also apply to data processing by the numerous Swiss companies that target the EU end customer market or whose data processing in some other way falls within the (intended) broad scope of the GDPR. The somewhat ambiguous wording and the complexity of the GDPR favor myths and misconceptions. Some of them also find their way into publications and recommendations of advisors. In this blog post , we highlight ten myths we encounter in our practice (namely in the context of ongoing GDPR compliance projects for Swiss companies) and clarify the corresponding misconceptions.
1. Under the GDPR, the processing of personal data always requires the data subject's consent – WRONG
Unlike the Swiss Federal Data Protection Act (DPA), the GDPR is based on the principle that the processing of personal data is prohibited. A good reason (a so-called legal basis) is required for data processing. Consent is only one of six possible legal bases for data processing (Art. 6(1) GDPR).
The following legal bases will be more significant and easier to manage in practice: Necessity for the performance of a contract with the data subject; the controller's compliance with a legal obligation laid down in EU or Member State law (not Swiss law!); or overriding legitimate interests pursued by the controller or a third party.
2. Under the GDPR, consent is always required for profiling on the basis of personal data – WRONG
The profiling method of processing is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalization of offerings.
Only by adopting an extremely broad interpretation of the relevant provisions (in particular, Arts 22(1) and 35(3)(a) GDPR), one could conclude that "profiling" for targeted advertising or personalized offers are subject to increased requirements – namely, mandatory opt-in and performance of a data protection impact assessment.
But beware: the EU is about to adopt the ePrivacy Regulation that may bring along more stringent requirements for online tracking and profiling.
3. The GDPR applies to data processing by Swiss companies if they deliver goods or provide services to end customers in the EU – WRONG or INACCURATE
It is not the provision of goods or services that triggers the applicability of the GDPR. Rather, the offering of goods or services (with or without a payment) to end customers (individuals) in the EU (or in the EEA) makes the corresponding processing of personal data subject to the GDPR. Data processing by Swiss companies that recognizably target their offering (also) to the EU end customer market (e.g. advertising that is also directed to end customers in the EU or offerings of an online store provider that recognizably also targets end customers in the EU) will fall within the scope of the GDPR pursuant to Art. 3(2)(a) GDPR. In addition to the principle of establishment (Art. 3(1) GDPR), the GDPR relies on the marketplace (or target market) principle (Art. 3(2) GDPR).
Even data processing in the context of the "monitoring of behavior" taking place within the EU (Art. 3(2)(b) GDPR) will be subject to the GDPR only if the monitoring occurs in connection with an EU end customer market orientation (target market principle). This is required by the fundamental principle of public international law known as comity (mutual respect of jurisdiction) and resembles the principle of market effects, as applicable under EU competition law.
4. If Swiss companies target their offering to the EU end customer market, the company as such will be subject to the GDPR for all data processing activities – WRONG
The GDPR applies to data processing activities, not to companies or organizations in general. Swiss data protection or employment law applies to the processing of personal data of employees based in Switzerland and to data processing in connection with the offering of services to end customers (individuals) in Switzerland. This applies even if data processing by companies in Switzerland in connection with the offering of services on the EU end customer market (or the monitoring of user behavior, which occurs in the EU) is subject to the GDPR.
5. Data processing activities of Swiss companies are subject to the GDPR if they engage a service provider in the EU to carry out the data processing on their behalf (cross-border outsourcing) – WRONG or INACCURATE
The GDPR applies to data processing carried out in the context of activities of an establishment of any processor established in the EU (e.g. the operator of a data center in Germany). The GDPR, however, does not apply to data processing activities of Swiss companies solely because they outsource their activities to a processor established in the EU (e.g. if a Swiss online platform is hosted by Amazon in Germany).
The determining factor is the responsibility for the specific data processing activities.
Companies in Switzerland must comply with the Swiss DPA in relation to data processing for which they are subject to the Swiss DPA (and not the GDPR). This is true even if they outsource such data processing activities to processors established in the EU.
6. In the case of contractual relationships with external service providers, a data processing agreement in accordance with Art. 28(3) GDPR is always required. This also includes, in particular, the client-attorney relationship – WRONG
Art. 28(3) GDPR (obligation to conclude a data processing agreement) seeks to ensure that a controller also complies with the provisions of the GDPR if it commissions a third party (processor) to carry out data processing activities for which the controller is and remains responsible (outsourcing of business processes or data processing). The controller determines the purposes and means of data processing (Art. 4(7) GDPR). The processor processes the personal data on behalf and only according to the controller's instructions – but not for purposes determined by the processor (Art. 4(8) and Art. 28(3) GDPR).
Typical examples of the controller-processor relationship (outsourcing) pursuant to Art. 28(1) und (3) GDPR:
- A bank commissions a data center provider with the storage and making available of its data (outsourcing).
- A company uses Microsoft Office 365 or another cloud-based software (e.g. an expenses claim tool for employees).
Reason: The bank/company retains control over the purposes of the processing. Business processes/processing activities are outsourced for which the bank/company is responsible and remains responsible, even in the event of outsourcing.
Typical examples in which no controller-processor relationship exists and therefore no agreement in terms of Art. 28(3) GDPR is required:
- A company instructs an attorney to provide legal services (disclosing, if necessary, the name of the employee whom the company intends to dismiss).
- An insurance company commissions a physician to prepare an expert opinion on an insured person's claim.
Reason: Even if the client initiates the legal service/expertise and if the client provides the attorney with personal data (e.g. of an employee), the attorney is, and remains, responsible for the processing of such data for the purposes of providing the legal advice. The attorney will provide the service in accordance with professional obligations applicable to him. The client, however, remains responsible for the processing of the personal data for the client's purposes – e.g. implementation of the employment relationship in accordance with contractual and data protection obligations.
7. The GDPR establishes uniform rules for the handling of personal data throughout the EU – WRONG
The GDPR contains numerous (around 70) opening clauses – some mandatory, some optional. Optional opening clauses enable Member States to provide, in their data protection or other laws that implement or supplement the GDPR, exceptions or derogations from certain provisions of the GDPR (such as information requirements and disclosure obligations).
- Art. 88(1) GDPR enables Member States (within certain limits) to enact more specific provisions for the processing of personal data in the context of employment (e.g. for the purposes of ensuring equality and diversity in the workplace, safeguarding health and safety in the workplace, protecting the privacy of employees, or the performance of employment contracts).
- Art. 23 GDPR allows Member States (within certain limits), to enact exceptions or restrictions, in particular with regard to the information obligations (Art. 12–14 GDPR) and the rights of access, rectification, restriction, erasure and objection (Art. 15 et seq.). Germany has made extensive use of this in the revised Federal Data Protection Act.
- Art. 37(4) GDPR allows Member States to require companies to designate a data protection officer even if they are not required to do so according to Art. 37(1) GDPR. Under the revised German Federal Data Protection Act, companies must (as before) always designate a data protection officer if at least ten employees regularly engage in automated processing of personal data (which is true for almost all companies with ten or more employees).
Mandatory opening clauses obligate Member States to enact implementing regulation, for example to establish institutions such as one or more data protection supervisory authorities, or to provide effective remedies.
8. Supervisory authorities will always impose a fine of up to EUR 20 million or 4% of annual worldwide turnover for breaches of the GDPR –WRONG
Instead of (or in addition to) fines, supervisory authorities may also require companies or organizations to take remedial measures – e.g. to issue warnings or reprimands to a controller or processor; to order them to comply with data subjects' requests for access or erasure, or to bring processing operations into compliance with the provisions of the GDPR. Particularly in the initial phase from May 25, 2018, many supervisory authorities will want to take such measures and thus contribute to further raising awareness of data protection compliance. In doing so, they will consider whether a company or organization is already well on the way to compliance – that is, whether it has already taken the most urgent implementation measures and is on track with the rest..
In addition, the EUR 20 million (or EUR 10 million) or 4% (or 2%) of annual worldwide turnover are maximum fines. Supervisory authorities will calculate the actual fines in accordance with the conditions for the imposition of fines (Art. 83 GDPR). The nature, gravity and duration of the infringement are decisive for the calculation. In particular, supervisory authorities must take into account the scope and purpose of the data processing concerned, the category of data concerned, the number of data subjects affected, relevant previous infringements by the controller or processor concerned, and the degree of cooperation with the supervisory authority (Art. 83(2) GDPR).
Moreover, due to the limited resources of the supervisory authorities, it can be assumed that private enforcement of rights under the GDPR will become increasingly important. Member States may authorize qualified associations to sue on behalf of affected individuals (Arts 79 and 80(1) GDPR).
9. Under the GDPR, all controllers and processors must designate a data protection officer – WRONG
The GDPR only requires controllers and processors to designate a data protection officer if they carry out extensive and systematic monitoring of behavior or extensive processing of special categories of personal data as part of their core activities (Art. 37(1) GDPR). Note, however, that the GDPR authorizes Member States to require the designation of a data protection officer in additional cases (see Myth 7 above).
Irrespective of the legal requirements, voluntary designation of a data protection officer (or a person with general responsibility for the data management in the company) is recommended. It will facilitate compliance with the extensive documentation and accountability obligations under the GDPR, and the oversight of the implementation of the guidelines and processes (for example for responding to access and erasure requests or for data breach notifications).
10. The Swiss Federal Data Protection and Information Commissioner will enforce the GDPR against companies in Switzerland – WRONG
The data protection supervisory authorities in the EU Member States that are competent pursuant to the GDPR (Art. 55) are responsible for enforcing the GDPR against companies in Switzerland whose data processing activities are subject to the GDPR – not the Swiss Federal Data Protection and Information Commissioner. In practice, data protection supervisory authorities in the EU Member States will not be in a position to enforce fines against companies in Switzerland without cooperation agreements between the EU and Switzerland.
However, companies in Switzerland are obliged (with a few exceptions) to designate a representative in the EU (Art. 27 DSGVO) if the DSGVO is applicable to their data processing on the basis of the marketplace principle (Art. 3 (2) DSGVO). Regulatory authorities may serve the representative with orders against the represented company.
Conclusions
The wording of the GDPR is not a bright example of an easy to understand and simple legal act. It gives raise to numerous misconceptions, of which we have highlighted only a selection from our practice. However, the GDPR can be credited for bringing the issues of data protection and data security to the attention of the top management of companies even in Switzerland. The threat of potentially significant fines may have played its part in fostering these developments.
Irrespective of the legal requirements, the unease of employees and consumers regarding the handling of their data in digital business models is real. Compliance projects should therefore not only gear towards GDPR compliance (and meticulously analyze in which scenarios data processing by companies in Switzerland is subject to the GDPR). Rather, the paramount goal of such projects is to strengthen the trust of customers and employees.