GDPR - Consequences for Swiss businesses
Navigating the new privacy landscape
As Switzerland is not a member of the EU or the EEA, the reform of the European data protection law does not have a direct impact on Swiss businesses.
Author: Andreas Knijpenga
However, the reform will still be relevant from a Swiss business perspective as follows:
The new EU data protection regime will be directly relevant for any data processing undertaken by group entities located in the EU and Swiss-based companies, if they conduct business activities within the EU area and have access to personal data from their EU customers, suppliers and EU employed staff.
In this context there are a few significant new requirements, such as (to name only a few):
- Data breach notification within 72 hours
- Data protection officer requirements
- Sanctions of up to 4% of total annual worldwide turnover or up to EUR 20 million
- Unambiguous or explicit consent
Secondly, the pending Federal Data Protection ACT (FDPA) revision will be strongly influenced by:
- The modernisation of the "Convention ratified by Switzerland for the protection of individuals with regard to automatic processing of personal data" by the Council of Europe
- The new GDPR (personal data of individuals)
- The new Data Protection Directive for the police and criminal justice sector
Ultimately, all three new European provisions follow the same principles. Although the core principles of the FDPA are expected to remain the same, and only minor adjustments of the current FDPA are required, Swiss law makers may copy large parts of the final GDPR in its revised FDPA to maintain the harmonisation of the economic area.
Independent from the FDPA revision, the new EU data protection regime will be directly relevant for many Swiss-based companies, if they conduct business activities within the EU area and have access to personal data from their EU customers, suppliers and EU employed staff. It will also be key for all Swiss companies to familiarise themselves with the new GDPR and its requirements, to already begin assessing if they are affected by the new rules and to initiate the preparatory work (e.g. review client facing materials to ensure compliance with the new consent and transparency requirements, review and amend contracts with data processors where required) so that all necessary adjustments are made in time to comply with the new data protection requirements in the EU and Switzerland.
Please stayed tuned for further FDPA updates.