News

The General Data Protection Regulation (GDPR) approved by the European Parliament entered into force in May 2016 and will be directly applicable in all EU member states as from 25th of May 2018.

The aim of the GDPR is to unify data protection laws in the 28 member states of the European Union (EU) in a digital age, improve legal certainty, enhance the confidence of citizens and businesses and simplify the regulatory environment for companies. What are the implications for Switzerland?

text image

Written by

Emilie RULLAND * Chief of International Mobility & Consulting Officer, Mariana SANTOS * Quality & Marketing Manager, William FORNARA * HR Specialist, Charles-Alban VERNIER * Compensation & Benefits Specialist, Maria Belen Aguilera * Legal Officer Junior.

Overview

The GDPR will replace the current European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The goal is to convert the current patchwork of national rules into a single set of rules and thus give citizens more control over their own private information in a world at the forefront of the digital age. The GDPR imposes a much more restrictive regulatory framework for the protection of personal data within the European Union (EU). Indeed, any ``control`` or ``processing`` body of personal data based in the Europe is now subject to this regulation, as well as foreign entities in charge of the processing of personal for persons residing within the EU. This means that companies based in Switzerland will have to comply with the provisions of the GDPR when they process the personal data of EU citizens or other persons assigned in the EU, particularly Swiss employers and their providers as part of employees intra-group mobility within the EU.
text image

Scope

In Switzerland, the GDPR will apply directly to any data processing carried out by entities of groups located in the EU as well as by Swiss-based companies carrying on business activities within the EU and having access to the personal data of their employees assigned within the EU.

Main changes

New stringent compliance requirements are imposed. For example, entities are now required to conduct privacy impact assessments and privacy audits. They must also implement privacy compliance methodologies in their business processes from the design stage in order to ensure compliance.

Personal data are subject to strict new user controls. These include the principles of ``data minimization``, ``data portability`` and ``right to erasure or right to be forgotten``, which requires entities to limit the use of data, to allow individuals to take our their data at the end of a service and to delete and destroy data upon request.

In the event of a breach of confidentiality, companies will be obliged to notify the competent supervisory authority without further ado and no later than 72 hours after identification of the problem. In order to avoid infringements, it is advisable to implement the appropriate measures (use of pseudonyms) before and during data processing in order to ensure compliance with data protection principles. In respect of infringements of the GDPR regulations, companies may be subject to administrative fines. All authority responsible for data protection will be permitted to take such measures, either directly or through national courts.

The GDPR provides for two levels of penalties for non-compliance. Depending on the articles of the GDPR which are the subject of an infringement, administrative fines may be applied for up to EUR 20 million or up to 4% of the annual turnover for the financial previous year.

Data protection in Switzerland

Swiss law on data protection currently in force already provides a high level of protection and is considered to be equivalent to that of the Member States, in particular France.

text image

Article 328b of the Code of Obligations

The article 328b of the Code of Obligations provides that the employer may only process personal data regarding the employee to the extent that the data relates to the employee's ability to perform his job or are necessary for the performance of the contract of employment.

Federal Act on data protection

Any processing of data must be lawful and must comply with the general principles of the Federal Act on data protection, in particular the lawfulness of the processing, good faith, proportionality, purpose, recognizability and exactness. Any employee must be able to request correction of inaccurate data.

Communication of personal data from Switzerland abroad is subject to special conditions. Such communication is in principle prohibited where the legislation of the country concerned does not provide an equivalent level of protection for the processing of personal data. However, data may be disclosed despite the absence of adequate protection guarantees, provided that the person concerned has given his prior consent or the data processing is directly related to the conclusion or performance of a contract and the data processed are related to the contracting parties. In this context, it is nevertheless highly recommended to get the prior consent of the other Party. Such consent shall be obtained through a specific clause within the employment contract on data protection in order to confirm the employee's prior agreement on the processing of his / her personal data and on cross-border communication in connection with the performance of the employment contract.

Employers are exempted from the obligation to declare their files to the Federal Data Protection Officer insofar as the data are processed under a legal obligation of the employer arising from the execution of the employment contract.

Revision of the Federal Act on data protection

Although Switzerland is not required to transpose the GDPR into its legislation, its interest is to align itself with the new GDPR measures, since the exchange of data with the EU can in principle only take place if Switzerland ensures a level of adequate protection. Therefore, Switzerland is heavily inspired by the GDPR as part of the ongoing reform of the Federal Act.

The Swiss revision project strengthens the rights of persons and competences of the Federal Data Protection Officer and extends the obligations of entities dealing with personal data. GDPR principles (such as the right of access, the right to be forgotten, the notification of data breaches, privacy by design, privacy by default, subcontractor control or impact assessment) are already included in the Swiss preliminary draft. Penalties imposed are also higher and may amount to 500,000 CHF.

With regard to the revision of the Swiss Data Protection Act, which will come into force in 2019 at the earliest, companies will have to be more specific regarding the categories of personal data, the purposes of the processing, the categories of data recipients, IT security measures and retention period.

Employment contract would need to be reviewed accordingly.

Steps for compliance with GDPR

• Designation of a delegate to the protection of the data in charge of the information and internal control.
• Make an inventory of the categories of personal data processed and the types of processing carried out. Determination of the types of processing, the purpose, the person in charge of the processing and the time of data retention.
• Identification of actions and risks. Once the inventory of data processing has been carried out, it is appropriate to identify those who may be at risk and not compliant.
• Risk management. If risks related to the processing of data are identified, an impact study should be carried out for treatment presenting a risk before treatment.
• Implementation of internal processes. Drafting of charter, model contracts, processes for handling the requests of date portability, right of information, right of access, right of rectification, management of consents).

For further information

Contact ITX International Mobility Consulting Emilie RULLAND, Chief Legal Officer & Head of International Mobility Consulting Department * erulland@itx-ge.com

The information enclosed within the present newsletter are not exhaustive and do not cover necessarily all legal aspect of the subject. This in no case can replace a legal professional advice particularly regarding the considered case under any particular situation. Copyrights are reserved, except with prior written consent.