The European Parliament ratified the EU General Data Protection Regulation (GDPR) text on 14th April 2016. The GDPR will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states after two years, but also Switzerland is affected.
This new legislation is an impactful change in privacy and data protection. All organizations dealing with EU data subjects are impacted. Historically, Swiss data protection legislation is closely tied to EU regulations. This is why the GDPR also requires attention from you as a Swiss organization.
Impact of the GDPR
There is already a lot of information about the GDPR that is nearing its official enactment. Well known is for example the impact of high fines that will be introduced with the GDPR (i.e. up to 4% of annual turnover or 20 million Euros). In addition, the GDPR places an increased number of requirements to your organization to demonstrate data protection compliance. For an overview about the GDPR read the article General Data Protection Regulation – The end of a paper tiger.
Applicability of the GDPR for Swiss organizations
As the GDPR is an EU regulation, your conclusion may be that Switzerland and Swiss organizations are not affected, and therefore the GDPR would not be relevant for your Swiss organization. This conclusion would however be false.
The GDPR will not only be applicable for companies based in the EU (or their subsidiaries in the EU), but also for Swiss based companies that are offering goods or services to EU data subjects. The scope now includes organizations processing personal data of EU data subjects, or organizations that monitor the (online) behaviour of EU data subjects. Therefore numerous Swiss organizations that have no local presence in the EU will now also be in scope of the EU GDPR legislation.
Examples of situations where a Swiss organization could fall in scope of the GDPR:
- A Swiss organization performs (part of) their processing activities in an EU country
- A Swiss based organization offers goods via an online shop to EU data subjects
- An EU subsidiary employer of a Swiss company processes personal data of its EU employees
- A Swiss based company collects data of EU data subjects’ (online) behaviour for marketing purposes
Swiss Data Protection Regulation
The above examples show how the EU GDPR would be relevant for your Swiss organization. However, even if your Swiss organization does not deal with EU data subjects, data protection compliance deserves your organization’s attention. Historically Swiss data protection and EU data protection are closely tied. This was exemplary with the publication of the original data protection directive in the EU and the subsequent enactment of the Swiss Data Protection Act (DPA), which was largely similar in set up. A comparable situation was also seen on the “EU-US Safe Harbour” regulation that was also adopted by Switzerland.
When the Swiss Federal Council has engaged the Federal Department of Justice and Police to draft a revised DPA, which is expected by end of August 2016, it was the decision of the Swiss Federal Council to draft the revision in due consideration of the EU data protection regulation. The Swiss Federal Council also outlined, that it is economically important for Switzerland to be recognized as a country with an appropriate data protection level for the EU. Hence, the revised DPA is likely to be influenced by GDPR’s principles and will likely include largely analogical rules and provisions. According to the envisaged timeline, the revised DPA should be enacted around the same period as the GDPR, which is beginning of 2018.
Your organization might be impacted by the EU GDPR. A first step for your organization is to analyze to what extent this will be the case. Also in the situation where your organization would currently not be in scope of the EU GDPR, it is important to pay adequate attention to data protection regulation. Swiss data protection is already relevant for your Swiss organization and impactful regulatory changes are oncoming. Your organization should not underestimate the implementation effort in order to become data protection compliant.
- Factsheet: Towards effective Data Protection
- Article: General Data Protection Regulation – The end of a paper tiger
- CIO Advisory Services at KPMG