The General Data Protection Regulation (GDPR) approved by the European Parliament entered into force in May 2016 and will be directly applicable in all EU member states as from 25th of May 2018.
The aim of the GDPR is to unify data protection laws in the 28 member states of the European Union (EU) in a digital age, improve legal certainty, enhance the confidence of citizens and businesses and simplify the regulatory environment for companies. What are the implications for Switzerland?
In Switzerland, the GDPR will apply directly to any data processing carried out by entities of groups located in the EU as well as by Swiss-based companies carrying on business activities within the EU and having access to the personal data of their employees assigned within the EU.
Personal data are subject to strict new user controls. These include the principles of ``data minimization``, ``data portability`` and ``right to erasure or right to be forgotten``, which requires entities to limit the use of data, to allow individuals to take our their data at the end of a service and to delete and destroy data upon request.
In the event of a breach of confidentiality, companies will be obliged to notify the competent supervisory authority without further ado and no later than 72 hours after identification of the problem. In order to avoid infringements, it is advisable to implement the appropriate measures (use of pseudonyms) before and during data processing in order to ensure compliance with data protection principles. In respect of infringements of the GDPR regulations, companies may be subject to administrative fines. All authority responsible for data protection will be permitted to take such measures, either directly or through national courts.
The GDPR provides for two levels of penalties for non-compliance. Depending on the articles of the GDPR which are the subject of an infringement, administrative fines may be applied for up to EUR 20 million or up to 4% of the annual turnover for the financial previous year.
Data protection in Switzerland
Swiss law on data protection currently in force already provides a high level of protection and is considered to be equivalent to that of the Member States, in particular France.
Article 328b of the Code of Obligations
Federal Act on data protection
Communication of personal data from Switzerland abroad is subject to special conditions. Such communication is in principle prohibited where the legislation of the country concerned does not provide an equivalent level of protection for the processing of personal data. However, data may be disclosed despite the absence of adequate protection guarantees, provided that the person concerned has given his prior consent or the data processing is directly related to the conclusion or performance of a contract and the data processed are related to the contracting parties. In this context, it is nevertheless highly recommended to get the prior consent of the other Party. Such consent shall be obtained through a specific clause within the employment contract on data protection in order to confirm the employee's prior agreement on the processing of his / her personal data and on cross-border communication in connection with the performance of the employment contract.
Employers are exempted from the obligation to declare their files to the Federal Data Protection Officer insofar as the data are processed under a legal obligation of the employer arising from the execution of the employment contract.
Revision of the Federal Act on data protection
The Swiss revision project strengthens the rights of persons and competences of the Federal Data Protection Officer and extends the obligations of entities dealing with personal data. GDPR principles (such as the right of access, the right to be forgotten, the notification of data breaches, privacy by design, privacy by default, subcontractor control or impact assessment) are already included in the Swiss preliminary draft. Penalties imposed are also higher and may amount to 500,000 CHF.
With regard to the revision of the Swiss Data Protection Act, which will come into force in 2019 at the earliest, companies will have to be more specific regarding the categories of personal data, the purposes of the processing, the categories of data recipients, IT security measures and retention period.
Employment contract would need to be reviewed accordingly.
Steps for compliance with GDPR
• Make an inventory of the categories of personal data processed and the types of processing carried out. Determination of the types of processing, the purpose, the person in charge of the processing and the time of data retention.
• Identification of actions and risks. Once the inventory of data processing has been carried out, it is appropriate to identify those who may be at risk and not compliant.
• Risk management. If risks related to the processing of data are identified, an impact study should be carried out for treatment presenting a risk before treatment.
• Implementation of internal processes. Drafting of charter, model contracts, processes for handling the requests of date portability, right of information, right of access, right of rectification, management of consents).
For further information
The information enclosed within the present newsletter are not exhaustive and do not cover necessarily all legal aspect of the subject. This in no case can replace a legal professional advice particularly regarding the considered case under any particular situation. Copyrights are reserved, except with prior written consent.