The legal framework for data protection is changing dramatically, forcing companies in the EU and third countries to adapt. On May 25, 2018, the new basic data protection regulation will take effect with significant changes. However, many companies, especially in third countries such as Switzerland, are not yet aware that this new set of rules directly affects them, even if the national data protection law in Switzerland (still) remains unchanged. And this despite the maximum fines of a threatening 4% of annual turnover or 20 million euros.
EU basic regulation also applies in Switzerland
With the new basic data protection regulation, the EU is creating a uniform legal basis for the entire EU and harmonising the previously national legislations. In addition to harmonization, however, the EU also pursued the goal of creating a means of combating companies in third countries that store or process data of persons residing in the EU. However, what is primarily aimed at Google, Facebook and Co. now ultimately affects all companies that also store or process data of EU persons in the course of their business activities. This includes, for example, guidance in a CRM (Customer Relationship Management) system, the recording of website visit data or the maintenance of EU natural persons in the accounts receivable master. Strictly speaking, the market place principle applies to the applicability of the respective data protection laws. But thanks to the Internet, services are considered to be provided at the customer’s location, even if they are provided in Switzerland. In short: practically every company that does business with people in the EU is already directly affected.
From 25 May 2018, the EU data protection basic regulation will therefore not only apply in the EU. Companies in third countries such as Switzerland must now also have implemented the national data protection law and the new EU requirements in parallel.
Implementation under difficult conditions
Over the next few years, Switzerland will adapt its national legislation to that of the EU in order to remain classified by the EU Commission as a third country with comparable data protection. This is particularly important for IT companies based in Switzerland to remain competitive in the EU.
The IT technical implementation, on the other hand, will probably be even more complicated than the legal adaptation. This is because on 25.1.2017, the US President issued a decree declaring the abolition or restriction of US data protection law for foreigners (see c’t of 18.4.2017: “Getting out of the US clouds”). In all probability, this will also torpedo the EU-US and Swiss-US Privacy Shield, which only came into force in summer 2016, and ultimately probably bury it again after only a few months.
But which company in Switzerland does not purchase services from American IT companies or has not already – consciously or unconsciously through pragmatic employees – exchanged data via dropbox or similar solutions?
Which requirements must be implemented?
For us, this is a reason to examine the basic data protection regulation more closely in a series of articles over the next few weeks.
- In the 1st part of the series we introduce the different actors and set the framework.
- Part 2 examines the principles of data protection based on four pillars.
- Part 3 explained the specific requirements for processing special categories of personal data and for profiling, which is considered particularly critical.
- Part 4 examines legally privileged, desirable processing methods.
- Part 5 of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.