GDPR - Swiss companies also affected by the new EU Data Protection Regulations

As of 28 May 2018, Swiss companies will face fines amounting to millions if they violate the EU's new General Data Protection Regulations.

Who is affected?

All natural or legal persons as well as authorities processing personal data of EU citizens. This also includes those who carry out data processing on behalf of EU companies and those who collect web statistics from visitors from the EU.

What's new?

• Penalty threat: In case of an offence, a fine of 2 to 4 percent of the worldwide annual turnover or 10 to 20 million EU - depending on what is higher - is possible.

• Personal data: The definition will cover a wider range. In the future, it will suffice if a combination of anonymous data enables identification.

• Consent: Persons affected (for children under 13 years of age their legal guardian) must give explicit consent to the processing of their data before these are collected. This consent can be revoked at any time.

• Correction and deletion: Applications for the correction or deletion of data from authorised persons must be processed free of charge within one month.

• Inventory: An inventory of the organisation's data collections must be kept.

• Portability: Personal data must be able to be transferred from one provider to another (e. g. Facebook to Google+).

• Human hearing: The processing of inquiries must not be automated: an affected person has the right that a human being is involved on behalf of the provider.

• Data protection: Data protection requirements have been increased and include data integrity and data loss prevention.

• Notification of injuries: Those responsible must inform the competent authorities within 72 hours of any breach of the protection. In serious cases, this information must be disclosed also those affected. 

• Accountability: Anyone who collects or processes personal data must be able to prove that they are GDPR-compliant.

• Representatives in the EU: Swiss companies must appoint a representative in the EU in connection with data protection, except if data processing is only occasional, does not involve a significant amount of data or if the data is not particularly sensitive.

What does that mean?

Some aspects are evident. For example, the privacy statement must be displayed and accepted explicitly and prior to the collection of data. But others are unclear, for example: What do Swiss companies have to take into account when employing German employees? What do Swiss doctors have to consider when treating patients from the EU? What does the portability of data mean for web shops or banks? How do companies have to ensure that minors have given their consent to the processing of their data? How can you be sure that someone is authorized to view or delete data?

One thing is certain: in Switzerland too, one has to deal with the GDPR and examine whether any action and which measures are necessary. This is not always trivial. A process through which potentially thousands of people could demand the surrender/deletion/correction of their data and claim their demands to be met within a month's time cannot be implemented overnight. And there is only a year and a half  to go before the law comes into force...