Europe as a whole, in general terms at least, takes a strong stance on the privacy of individual’s data. In 1981, the 47 EU countries agreed to sign a treaty to protect individuals with regards to the automatic processing of personal data, seeing it hailed as one of the most forward thinking communities in the world in this respect. The treaty became the basis for the 1995 EU privacy directive 95/26/EC, which was a fully-fledged framework for data privacy for the individual, covering the free movement of personal data. After a number of revisions to the directive, including strengthening online privacy rights, and enhancing the responsibility of controllers in the privacy equation, the concept of having a General Data Protection Regulation or GDPR evolved. The GDPR, has been many years in the making and will finally come into force in May 2018, after a two year period of implementation.
It has arisen out of the EU privacy directive but is a much modernized and updated version of that, partly due to rapid technological changes in how data is created and handled. It’s focus is on the rights of the individual and ensuring that whoever deals with that individual’s Personally Identifying Information (PII) does so in a way that minimizes risk. The GDPR was developed not as a hindrance to commerce, but as a means to imbue trust between organizations and consumers, and to drive the digital economy of Europe.
In this post, we will look at some of the areas of the GDPR that impact Swiss Multinational Companies.
Essential Details To Be Aware Of
Highly integrated and of mutual importance, the EU is Switzerland’s main trading partner, and Switzerland their third largest, according to the European Commission’s Trade Picture. The largest exports are found in the chemical and pharmaceutical industries, and watches and instruments. In 2015 the EU exports from Switzerland were worth almost 251 billion Euros. Despite not being an EU country, the GDPR will still have a significant effect upon Swiss multinationals. For the privilege of doing free trade with the EU, Switzerland has agreed to certain EU regulations, and article 3.1 of the legislation makes this clear:
“This provision allows the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of Union law…regardless of whether the processing takes place in the union or not”
This principle is known as the establishment principle. It outlines the territorial scope of the directive, and covers any organization that has an online presence accessible by EU members. If you offer goods or service to a ‘data subject’ based in the EU, then you are subject to the GDPR rules. A data subject is literally anyone who is in the EU at the time your organization processes his or her data – EU citizen or non-resident alike. Put into practice, this means that that the rules apply to Swiss companies if:
- They actively promote or sell goods/service to a data subject via an online store available in an EU country
- They process personal data and behavioral data, for data subjects inside the EU, even if the controller is outside of the EU – and even if those goods and services are free
- A Swiss company has an EU subsidiary and processes personal data of employees
If your company has any or all of the above requirements, then there are certain parts of the GDPR that are highly pertinent, both to help prevent breaches of data privacy, and punish such occurrences.
The creation of a data protection officer is a new aspect of the GDPR and for some considered to be a rather onerous one. Known as controllers, they are responsible, as an individual or with others, in determining why personal data is being processed. If your business processes data from EU data subjects, either through product sales or behavior monitoring, then you have to designate a representative in an EU country. This EU representative is your first point of contact in dealing with data subjects in the EU.
The GDPR has brought in administrative fines “in order to strengthen the enforcement of the rules of this Regulation”. Article 83 of the legislation sets out the conditions that can result in a fine. An organization can be fined up to 4% of their total worldwide annual turnover, or 20 million Euros, whichever is higher. How big the fine is depends on several factors, including previous breaches of legislation, the determined degree of negligence, and action taken to mitigate the data exposure.
There are however exemptions, if your business meets the following criteria:
- You only process data from EU data subjects occasionally
- If these data being processed is highly unlikely to have any impact on the rights and freedoms of the data subject
- If your organization only process small amounts of data
However, it will still be necessary for all companies to understand exactly what level of data they are handling, and its degree of sensitivity, in order to know whether the rules do apply.
Making Headway As a Swiss Company in Complying with the GDPR
It’s always wise to take legal advice on qualifying and quantifying the requirements of the GDPR as a Swiss company, and the specific impact upon your business, and this can be part of a GDPR risk assessment exercise. There are 18 months still left to implement your GDPR compliance, but because of the complex nature of the legislation, and its scope outside of the EU, you do need to get on board quickly. A top down approach is crucial to moving the organization forward and seeing measures implemented in a practical and sustainable way, and the acceptance of the measures and assignment of data controllers as well as an EU representative must be initially accepted by the board members before subsequent action.
The territorial scope of the GDPR is also likely to impact on Swiss data protection law and have a global reach, with far reaching effects. But in a world where privacy is becoming an increasing issue for consumers, and cybersecurity threats are ever present, implementing the principles of the GDPR is a positive move, and one that Swiss organisations should be proud to do.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.