27 March 2020
Compliance with European Union (EU) privacy law presents a challenge for many businesses in non-EU countries. This includes companies from regions with relatively strong data protection regimes, such as Switzerland.
Switzerland is bordered by four EU countries. It recognizes three of the EU's official languages as national languages. But Switzerland's relationship with the EU means that Swiss businesses have some extra work to do before they can target EU consumers.
In this article, we'll be looking at how businesses in Switzerland and other non-EU countries can work towards compliance with the EU General Data Protection Regulation (GDPR).
First, we're going to answer some common questions about Switzerland's relationship with the EU, and the obligations of Swiss companies under the GDPR.
Switzerland is not an EU member, and nor is it a member of the larger European Economic Area (EEA), which consists of every EU member state plus Norway, Iceland, and Lichtenstein.
Switzerland is a member of the European Free Trade Area (EFTA), along with Norway, Iceland, and Lichtenstein. As an EFTA member, Switzerland is part of the EU's "single market."
Being part of the single market means Switzerland and the EU do a lot of trade together. Perhaps unsurprisingly, the EU is Switzerland's largest trading partner, meaning that Switzerland exports more goods and services to the EU than any other market.
However, Switzerland isn't the EU's largest trading partner. The United Kingdom, the United States, and China all do more trade with the EU than Switzerland.
The EU places strict rules on the transfer of personal data from inside the EU to "third countries" (non-EEA countries).
A business that collects personal data from within the EEA cannot normally transfer it to another business outside of the EAA without proper safeguards in place. For example, both parties involved in the transfer might have to sign a standardized contract to guarantee the security of the personal data after the transfer is complete.
Fortunately, Switzerland, along with 12 other non-EEA countries, has received an "adequacy decision" from the European Commission. An adequacy decision is a recognition of the strength of Switzerland's data protection law.
The European Commission's assessment is that Swiss law provides an "adequate level of protection" for personal data:
Because Switzerland is in receipt of an adequacy decision, EEA companies don't need to take any special measures to safeguard personal data transfers Switzerland. They can transfer personal data in the normal way, just as they would within the EEA.
Unlike companies in EEA countries, Swiss companies don't have to obey the GDPR all the time. However, just like businesses all over the world, Swiss companies do have to obey the GDPR when they're operating in the EEA.
This rule comes from Article 3 of the GDPR, which establishes the law's "territorial scope":
Article 3 sets out two conditions under which a non-EU company must obey the GDPR.
"Offering goods and services" means targeting EU consumers or otherwise doing business in the EU (whether for profit or not). "Monitoring behavior" extends to certain personalized ad campaigns that use tracking cookies. Lots of companies are caught out by this rule.
When engaged in these activities, Swiss companies must obey the GDPR. Given that the EU is Switzerland's largest target market, this means many Swiss businesses comply with the GDPR by default.
Of course, this rule doesn't apply solely to Swiss companies, but also to any non-EU company that wishes to operate in the EU. Businesses from non-EU countries all over the world have to obey the GDPR to this same extent, including those from the US, the UK, Canada, etc.
The main data protection law of Switzerland is the Federal Act on Data Protection (FDAP) (English version).
The FDAP first passed in 1992 and is currently undergoing review to bring it closer to the standards set out in the GDPR. While the FDAP and the GDPR share many similarities, there are some important differences.
Perhaps most notably, while the GDPR only recognizes natural persons to be "data subjects" the FDAP recognizes both natural and legal persons.
So, while the GDPR applies to Ralph Lauren (the natural person), but not the "Ralph Lauren Corporation" (the legal person), the FDAP applies to both. This means Swiss businesses must take additional steps to protect the personal data that they process through their B2B communications.
The EU's proposed ePrivacy Regulation, which should come into force in 2020, would extend privacy rights to legal persons in much the same way as the FDAP.
Some of the other key differences between the GDPR and the FDAP are set out below:
|Scope||All private persons, businesses, charities, and local, national and EU-level public organizations processing personal data in the EU.||
All private persons, businesses, charities, and federal government organizations based in Switzerland.
Public bodies at the cantonal (regional) level are subject to local data protection laws.
|Data subject||Natural persons only.||Natural persons and legal persons (e.g. corporations).|
|Standard of consent||Must be freely given, specific, informed, unambiguous, and given via a clear, affirmative action.||
Must be "given voluntarily on the provision of adequate information."
Must be given expressly when the processing concerns "sensitive personal data or personality profiles."
|Maximum fine||4% of annual global turnover or €20 million.||250,000 Swiss Francs (CHF) (approximately €235,000).|
|Data subject rights||
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making
Only "the right to information" is explicitly set out in the FDAP. This is similar in scope to the "right of access" under the GDPR.
Data subjects can also request the rectification and erasure of their personal data through Swiss civil law.
|Data breach notification requirements||
For a serious data breach likely to risk the "rights and freedoms" of individuals: inform the Data Protection Authority within 72 hours at the latest.
For a very serious data breach that is likely to cause "high risk to the rights and freedoms" of individuals: inform the affected individuals without undue delay.
|No formal data breach notification requirements.|
All businesses in "third countries" (non-EEA countries) must become GDPR-compliant before they begin EU operations.
Due to Switzerland's strong data protection law, Swiss companies are in a good position to operate in compliance with the GDPR.
However, even Swiss data protection law is weaker than the GDPR in several areas. There are a few extra steps every non-EU company must take before it can extend its market reach to EU consumers.
Let's look at some examples from businesses that are fulfilling these requirements
Here's how PNE Group covers point 6 (who data is shared with):
Note that the GDPR only requires you to disclose the categories of third-party recipients with whom you share personal data, rather than the actual identities of the companies.
Most non-EEA companies operating in the EU will need to appoint an EU Representative. This applies to Swiss companies as well as companies from any other non-EEA country.
An EU Representative acts as your company's main point of contact with the EU. An EU Data Protection Authority can launch legal proceedings against your EU Representative in the event of a GDPR violation.
Your EU Representative:
Your EU Representative doesn't need to work directly for your company. You can contract with a third-party company to provide this service for you.
Once you have selected an EU Representative, you'll need to create an Appointment of an EU Representative Letter to make the appointment official.
Not every company needs to appoint an EU Representative. You may be exempt from this requirement if all of the following are true:
Bear in mind that the broad definition of personal data means that most businesses process personal data regularly and, therefore, would not fall under this exemption.
Your company may plan to seek EU consumers' consent for purposes such as direct email marketing or personalized advertising. If so, you should review the ways in which you seek consent in order to meet the EU's high standards.
It's possible that a Swiss company that is compliant with domestic law may be collecting consent in a way that is incompatible with the GDPR. The same is true for companies from countries such as the US and Canada, where data protection law is comparatively weak.
Here's how the Swiss FADP defines consent:
And here's the GDPR's definition:
To understand the difference between these two definitions, we must distinguish between two types of consent:
Here's an example of implied consent, from Watches of Switzerland:
The business infers that it has the user's consent for cookies if the user continues to browse the website. The user can opt out, but does not need to opt in.
Here's an example of express consent, from UK recruitment website Joining the Police:
The organization requests consent to analytics and marketing cookies, but the cookies are turned "off" by default. Unless the user turns these cookies "on," the website will not set them.
The broad scope of the GDPR means that if your website or app uses non-essential cookies or tracking technologies, you must set up a GDPR-compliant cookie consent solution for EU users.
You should also check your direct marketing sign-up pages for pre-ticked boxes.
However, note that in certain circumstances, it is possible under EU law to send direct marketing to your existing customers without their consent.
For more information, see our article Three-Part Test for Legitimate Interest Under the GDPR.
The GDPR has strict rules around what you must do in the event of a data breach. Other jurisdictions, including Switzerland, do not have formal breach notification requirements.
Swiss and other non-EU companies operating in the EU should develop a strategy for responding to data breaches in a quick and GDPR-compliant manner.
Here are the basic rules around responding to a data breach under the GDPR:
Businesses may receive fines if they take too long to respond to a breach. One way to avoid delays is to prepare a Data Breach Notification Letter. You can then notify data subjects in a timely way following a very serious breach.
You should also consider creating a Data Breach Policy to ensure that you can mitigate against any potential data breaches. Elements of a Data Breach Policy may include:
For Swiss and other non-EU companies, you must comply with the GDPR if you wish to operate in the EU.
If you hope to launch EU operations, take these steps towards GDPR-compliance:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.