The Swiss and EU data protection landscape is going to change fundamentally. If you collect or process data from customers and/or employees in Switzerland and/or the EU, you will likely need to comply with the enhanced Swiss and EU rules.
Both Switzerland and the EU will introduce new and far stricter data protection rules that will apply to virtually all companies that process personal data of customers and/or employees. Moreover, both the new Swiss and EU data protection regulations have a broad international scope, which could mean that you will have to comply with both. While the new Swiss rules are expected to enter into force on 1 August 2018, the revised EU regime will be applicable as from 25 May 2018. What should Swiss and EU businesses do to prepare for the new Swiss and EU regulations, knowing that non-compliance may result in severe sanctions?
Your safest approach will be to comply with the highest standards of both the revised Swiss Federal Act on Data Protection (DPA) and the EU General Data Protection Regulation (GDPR). Our Swiss and EU data protection experts will show you in a series of short articles how you can comply with the most relevant requirements under the DPA and GDPR.
Broad geographical scope of the new rules
Let’s first take a look at the territorial scope of the DPA and GDPR.
Unlike the GDPR, the DPA does not contain any provision regarding its territorial scope. In case civil proceedings are raised in Switzerland against any non-Swiss entity for personal data infringement, Swiss courts will apply the Swiss conflict of law rules. Pursuant to these rules, the DPA will generally apply to any non-Swiss data controller or data processor, interacting with persons (data subjects) that reside in Switzerland. Also if the place of effect of a personal data infringement is located in Switzerland, the DPA may be applicable.
The GDPR, for its part, contains a clear text on its own territorial scope.
The GDPR will apply in the following cases:
- If your company is established in the EU (regardless of whether the data are processed in the EU or not)For example, an IT company having its registered office in Belgium is storing personal data on servers based in Switzerland. In that case, the GDPR will apply to the Belgian company because the company is established in the EU. It is not relevant that the processing is factually taking place in Switzerland (outside the EU).
- When your company is not established in the EU, but (i) offers goods or services to individual(s) in the EU, or (2) monitors the behaviour of individual(s) in the EU.For example a bank having its registered office in Switzerland also offers its financial services to any individual living in the EU and, as such, processes the personal data of customers who are living in the EU.
Some other examples in which GDPR will or may be triggered if your company is (only) established in Switzerland:
- Your company is working closely with an EU sales agent or EU subsidiary that enables you to sell your products or services to EU customers (note: also in case of B2B);
- Your company has a website on which EU customers are targeted to buy your products or services;
- Your company's HR administration is managed by your EU based parent company (even if it concerns Swiss employees);
As you can see, the GDPR has a very broadly defined international scope, and although the DPA does not include a similar provision, its scope may extend beyond Swiss borders since it follows the Swiss conflict of law rules.
How do the DPA and the GDPR compare?
The DPA is largely similar to the GDPR with respect to its content. However, some differences remain. In particular, the following topics are treated differently:
- the GDPR contains more stringent requirements regarding the consent of the data subjects;
- the GDPR provides for more rigid requirements regarding data breach notifications;
- a right of data portability applies under the GDPR but not under the DPA;
- the DPA has a broader definition of what should be considered ‘sensitive data’;
- under the DPA, the information rights of data subjects are sometimes higher, sometimes lower than under the GDPR;
- the DPA seems to be stricter regarding the threshold leading to the obligation of a data protection impact assessment; and
- last but not least, the sanction systems for infringement of the law are totally different under GDPR (higher fines) and DPA (lower fines, but criminal sanctions against individuals).
Importance of complying with the GDPR and DPA
Data protection compliance has become a boardroom topic, mainly because of severe sanctions in case of non-compliance (under the GDPR: fines as high as EUR 20 million or 4% of the annual worldwide turnover).
Especially if you are doing business with EU customers, you need to bring your data protection and exchange processes in line with the detailed GDPR and DPA obligations. As GDPR can be considered amongst the highest data protection standards, GDPR compliance could be a business opportunity and competitive advantage, making your business dealings and the exchange of data involving the EU smoother and easier.
As the GDPR will be applicable next May 25, it is time to actively prepare for it.