The legal framework for data protection is changing rapidly, forcing companies in the EU and third countries to adapt. On 25 May 2018, the new General Data Protection Regulation (GDPR) will take effect with significant changes. However, many companies, especially in third countries such as Switzerland, are not yet aware that this new set of rules directly affects them, even if the national data protection law in Switzerland remains (still) unchanged. And this despite the maximum fines of a threatening 4% of annual turnover or 20 million euros.
EU basic regulation also applies in Switzerland
With the new General Data Protection Regulation, the EU is creating a uniform legal basis for the entire EU and harmonising the national legislations to date. In addition to harmonisation, however, the EU also pursued the goal of creating a mechanism against companies in third countries that store or process data on persons residing in the EU. But what is primarily aimed at Google, Facebook and Co. now ultimately affects all companies that also store or process data of EU persons within the scope of their business activities. This includes, for example, the management of a CRM system (Customer Relationship Management), the recording of website visit data or the maintenance of natural persons from the EU in the accounts receivable master. In short: practically every company that somehow deals with people in the EU is already directly affected.
From 25 May 2018, the GDPR will therefore not only apply in the EU but also for companies in third countries – such as Switzerland. National data protection laws have to be implemented alongside the new EU requirements.
Implementation under difficult conditions
In the coming years, Switzerland will adapt its national legislation to that of the EU in order to remain classified by the EU Commission as a third country with comparable data protection. This is very important for IT companies based in Switzerland who want to retain their competitiveness in the EU.
The technical implementation of IT, on the other hand, may become even more complicated than the legal adaptation. On 25 January 2017, the US President issued a decree declaring the abolition or restriction of US data protection law for foreigners (see. c’t 18.4.2017: “get out of the US-clouds”). This will in all probability also torpedo the EU-US and Swiss-US privacy shield , which only came into force in the summer of 2016, and will probably be buried again after only a few months.
But which company in Switzerland does not receive any services from American IT companies or has not already exchanged data via Dropbox or similar solutions – consciously or unconsciously through pragmatic employees?
Which requirements have to be implemented?
For us, this is a reason to investigate the basic data protection regulation in more detail in a series of articles over the next few weeks.
- In this lead-in article, we draw attention to the need for action.
- In the first part of the series, we introduce the various actors and set the framework.
- In Part 2, we examined the principles of data protection based on four pillars.
- Part 3 explains the special requirements for the processing of special categories of personal data and profiling, which is regarded as particularly critical.
- In Part 4, we highlight legally privileged, desired processing methods.
- The last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT projects.
linkyard is specialized in the realization of software solutions with high security requirements and the professional accompaniment of IT procurement processes. Especially for the correct and economic implementation of data protection requirements in IT systems, an iterative interaction of IT security specialists such as linkyard and a specialized lawyer proves to be advantageous. The search for the most cost-effective and at the same time legally compliant solution often requires the elaboration and evaluation of various implementation variants and the first best solution usually still undergoes some adjustments. We are also happy to accompany your project.