The European Union’s General Data Protection Regulation (GDPR) has been binding since 25 May 2018. What had long had a shadowy existence in the pages of legal journals is now surreptitiously creeping into the Swiss corporate landscape. The GDPR is designed to make data processing more transparent, reinforce the rights of individuals and place a great responsibility on data controllers and processors. The latter include Swiss companies if they have a relevant connection to the EU. This means that they should be checking whether the GDPR is applicable and reacting if necessary. Non-compliance potentially incurs hefty fines of up to EUR 20 million or 4 per cent of annual global turnover, whichever is higher.
Reading time: minutes
Director, Leader Legal Compliance and data protection expert, PwC Legal Switzerland
Enterprises affected by the GDPR have to implement various rules in their existing or newly created data protection policy. They have to comply with the basic principles of data processing, including the principles of lawfulness, transparency, fairness, purpose limitation, data minimisation, accuracy and integrity and confidentiality. Anyone responsible for personal data must also actively demonstrate compliance with the data processing principles (accountability).
The duties of those responsible for personal data include:
To facilitate implementation of these requirements, companies should first assess the current situation with regard to compliance with the data protection rules. Then they should do a gap analysis to see how this diverges from the desired situation and remedy the gaps accordingly. This way the company can assess what needs to be done and take the necessary steps on a risk-based approach.
A key task, and one that is challenging in practice, is implementing a record of processing activities in line with art. 30 GDPR. Companies often don’t have a complete picture of where they process what data and to what purpose. Large organisations in particular sometimes have to contend with a dense jungle of data. Arranging these processing activities, bundling them in processes and then recording them in a clear overview can involve a lot of time and effort. If you’re looking for standard turnkey solutions, it gets tough: when it comes to data protection there are no concrete rules or uniform control concepts. This means that every company has to implement appropriate measures on an individual basis. It helps to know the scope of discretion for manoeuvre. This will also allow you to assess the risks (some of them supposed) correctly. There are many different options when it comes to implementing the rules. What they all have in common is the aim of making sure the basic principles of data processing are complied with in each individual case.
An additional challenge in day-to-day business are the data privacy notices resulting from the duty to provide information stipulated in art. 12 – 14 GDPR. Where personal data are collected, the data subject has to be informed about many different things, including the identity and the contact details of the controller ; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; and possibly the recipients of the personal data or the fact that the controller intends to transfer personal data to a third country. The GDPR leaves plenty of room for interpretation when it comes to putting this information requirement into practice. It specifies only that ‘appropriate measures’ have to be taken to provide the information to the data subject ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. Organisations have to decide for themselves exactly what form this takes. Here, too, you should decide on the basis of the individual case in question.
Data controllers that violate the GDPR face the prospect of drastic sanctions of up to EUR 20 million or 4 per cent of worldwide turnover, whichever is higher. The regulations empower supervisory authorities in EU member states to impose fines if various conditions are met. Each supervisory authority must make sure that the sanctions for infringement of the GDPR are effective and proportionate and act as a deterrent.
Given that a state’s authority to impose sanctions is restricted to its own sovereign territory, it’s interesting to note how Swiss enterprises not established in the EU, which according to the GDPR fall under its domain, can be sanctioned by supervisory authorities in the EU. The GDPR attempts to resolve this contradiction by obliging providers of goods and services to the EU to appoint an EU representative to serve as a point of contact for supervisory authorities and data subjects for all matters connected with compliance with the GDPR. It remains to be seen how potential sanctions will be imposed in Switzerland in the future.
Changes are also afoot on the data protection front in this country, as Switzerland ratifies the amended European Council data protection agreement with a complete revision of the FADP. Switzerland will also be adopting the EU’s regulation on the protection of natural persons with regard to the processing of personal data in criminal law.
The draft bill for the amended Data Protection Act was published in September 2017, aligning Swiss data protection rules with the GDPR. The new Swiss legislation is designed to boost data subject’s individual rights and transparency as well as harmonisation and liberalisation with EU data protection standards. These adjustments are important if Switzerland is to continue to be recognised as a third country with an appropriate level of data protection and the transfer of data across borders is to remain straightforward.
In January 2018 the Swiss National Council’s Political Institutions Committee requested that the bill be split. The first phase should be to make the amendments necessary in the context of the Schengen agreement. Then the complete revision of the FADP should be done without any time pressure, primarily to do justice to the complexity of the issues involved.
The amended FADP is likely to enter into force in January 2019. However, delays are currently expected. Plans for a so-called Swiss finish have now been abandoned again, as have the provisions protecting the data of corporate entities contained in the present data protection legislation. The draft FADP is substantially leaner than the GDPR in terms of controller accountability, and with a maximum fine of CHF 250,000 the sanctions are also less severe. What shouldn’t be underestimated, however, is the fact that under the draft FADP sanctions are imposed directly on a natural person, while the GDPR imposes sanctions on a corporate entity.
Developments have been exciting since the GDPR is binding since 25 May 2018. In the next few months it will emerge whether companies have correctly interpreted the risks and implemented the requirements of the GDPR adequately. Those that haven’t yet got that far can breathe easily: implementing the GDPR is no Herculean task. And once it’s implemented, it may even offer an opportunity to show engagement and build trust, and demonstrably helps protect people’s rights of privacy. All companies have to have rethought their data protection policy by the time the amended FADP enters into force in Switzerland. Otherwise, they’ll pay the penalty for infringements of the data protection rules not just in hard cash, but in terms of loss of trust and reputation.