GDPR and Switzerland

GDPR and Switzerland

Compliance with European Union (EU) privacy law presents a challenge for many businesses in non-EU countries. This includes companies from regions with relatively strong data protection regimes, such as Switzerland.

Switzerland is bordered by four EU countries. It recognizes three of the EU's official languages as national languages. But Switzerland's relationship with the EU means that Swiss businesses have some extra work to do before they can target EU consumers.

In this article, we'll be looking at how businesses in Switzerland and other non-EU countries can work towards compliance with the EU General Data Protection Regulation (GDPR).


Switzerland, the EU, and the GDPR

First, we're going to answer some common questions about Switzerland's relationship with the EU, and the obligations of Swiss companies under the GDPR.

What is Switzerland's Relationship With the EU?

Switzerland is not an EU member, and nor is it a member of the larger European Economic Area (EEA), which consists of every EU member state plus Norway, Iceland, and Lichtenstein.

Switzerland is a member of the European Free Trade Area (EFTA), along with Norway, Iceland, and Lichtenstein. As an EFTA member, Switzerland is part of the EU's "single market."

Being part of the single market means Switzerland and the EU do a lot of trade together. Perhaps unsurprisingly, the EU is Switzerland's largest trading partner, meaning that Switzerland exports more goods and services to the EU than any other market.

However, Switzerland isn't the EU's largest trading partner. The United Kingdom, the United States, and China all do more trade with the EU than Switzerland.

Can EU Companies Transfer Personal Data to Companies in Switzerland?

Can EU Companies Transfer Personal Data to Companies in Switzerland?

The EU places strict rules on the transfer of personal data from inside the EU to "third countries" (non-EEA countries).

A business that collects personal data from within the EEA cannot normally transfer it to another business outside of the EAA without proper safeguards in place. For example, both parties involved in the transfer might have to sign a standardized contract to guarantee the security of the personal data after the transfer is complete.

Fortunately, Switzerland, along with 12 other non-EEA countries, has received an "adequacy decision" from the European Commission. An adequacy decision is a recognition of the strength of Switzerland's data protection law.

The European Commission's assessment is that Swiss law provides an "adequate level of protection" for personal data:

EUR-Lex GDPR: Switzerland has an adequate level of protection section

Because Switzerland is in receipt of an adequacy decision, EEA companies don't need to take any special measures to safeguard personal data transfers Switzerland. They can transfer personal data in the normal way, just as they would within the EEA.

Do Swiss Companies Have to Obey the GDPR?

Unlike companies in EEA countries, Swiss companies don't have to obey the GDPR all the time. However, just like businesses all over the world, Swiss companies do have to obey the GDPR when they're operating in the EEA.

This rule comes from Article 3 of the GDPR, which establishes the law's "territorial scope":

EUR-Lex GDPR: Article 3 - Territorial Scope

Article 3 sets out two conditions under which a non-EU company must obey the GDPR.

  • It is offering goods or services to people in the EU, whether paid or for free, or
  • It is monitoring the behavior of people in the EU

"Offering goods and services" means targeting EU consumers or otherwise doing business in the EU (whether for profit or not). "Monitoring behavior" extends to certain personalized ad campaigns that use tracking cookies. Lots of companies are caught out by this rule.

When engaged in these activities, Swiss companies must obey the GDPR. Given that the EU is Switzerland's largest target market, this means many Swiss businesses comply with the GDPR by default.

Of course, this rule doesn't apply solely to Swiss companies, but also to any non-EU company that wishes to operate in the EU. Businesses from non-EU countries all over the world have to obey the GDPR to this same extent, including those from the US, the UK, Canada, etc.

How Does Swiss Data Protection Law Compare to the GDPR?

The main data protection law of Switzerland is the Federal Act on Data Protection (FDAP) (English version).

The FDAP first passed in 1992 and is currently undergoing review to bring it closer to the standards set out in the GDPR. While the FDAP and the GDPR share many similarities, there are some important differences.

Perhaps most notably, while the GDPR only recognizes natural persons to be "data subjects" the FDAP recognizes both natural and legal persons.

So, while the GDPR applies to Ralph Lauren (the natural person), but not the "Ralph Lauren Corporation" (the legal person), the FDAP applies to both. This means Swiss businesses must take additional steps to protect the personal data that they process through their B2B communications.

The EU's proposed ePrivacy Regulation, which should come into force in 2020, would extend privacy rights to legal persons in much the same way as the FDAP.

Some of the other key differences between the GDPR and the FDAP are set out below:

GDPR FDAP
Scope All private persons, businesses, charities, and local, national and EU-level public organizations processing personal data in the EU.

All private persons, businesses, charities, and federal government organizations based in Switzerland.

Public bodies at the cantonal (regional) level are subject to local data protection laws.

Data subject Natural persons only. Natural persons and legal persons (e.g. corporations).
Standard of consent Must be freely given, specific, informed, unambiguous, and given via a clear, affirmative action.

Must be "given voluntarily on the provision of adequate information."

Must be given expressly when the processing concerns "sensitive personal data or personality profiles."

Maximum fine 4% of annual global turnover or €20 million. 250,000 Swiss Francs (CHF) (approximately €235,000).
Data subject rights

Right to be informed

Right of access

Right to rectification

Right to erasure

Right to restrict processing

Right to data portability

Right to object

Rights related to automated decision-making

Only "the right to information" is explicitly set out in the FDAP. This is similar in scope to the "right of access" under the GDPR.

Data subjects can also request the rectification and erasure of their personal data through Swiss civil law.

Data breach notification requirements

For a serious data breach likely to risk the "rights and freedoms" of individuals: inform the Data Protection Authority within 72 hours at the latest.

For a very serious data breach that is likely to cause "high risk to the rights and freedoms" of individuals: inform the affected individuals without undue delay.

No formal data breach notification requirements.

GDPR Checklist for Swiss and Other Non-EU Businesses

GDPR Checklist for Swiss and Other Non-EU Businesses

All businesses in "third countries" (non-EEA countries) must become GDPR-compliant before they begin EU operations.

Due to Switzerland's strong data protection law, Swiss companies are in a good position to operate in compliance with the GDPR.

However, even Swiss data protection law is weaker than the GDPR in several areas. There are a few extra steps every non-EU company must take before it can extend its market reach to EU consumers.

Amend Your Privacy Policy

Swiss data protection law requires that you provide adequate information to data subjects. However, as is the case in many jurisdictions, Swiss law does not set out the specific elements that a business must include in its Privacy Policy.

A GDPR Privacy Policy must include, at a minimum:

  1. Your contact details, and details of your Data Protection Officer and/or EU Representative
  2. Your purposes for processing personal data
  3. The categories of personal data you process
  4. Your lawful bases for processing personal data
  5. How long you will store personal data
  6. The types of people or companies with whom you may share personal data
  7. Whether you intend to transfer personal data to recipients outside of the EEA, and what safeguards you have in place for this
  8. Details of the data subject rights and how to access them
  9. Information about lodging a complaint with a Data Protection Authority
  10. Information about the right to withdraw consent

Let's look at some examples from businesses that are fulfilling these requirements

Regarding point 3 above (categories of personal information processed), here's an excerpt from a section of Coca Cola's Privacy Policy that addresses this:

Coca-Cola UK Privacy Policy: What personal data is collected clause

Here's how PNE Group covers point 6 (who data is shared with):

PNE Group Privacy Policy: Who we share your personal information with clause

Note that the GDPR only requires you to disclose the categories of third-party recipients with whom you share personal data, rather than the actual identities of the companies.

Regarding point 8 (data subject rights), here's an excerpt from a section of The Advocacy Project's Privacy Policy, explaining the data subject rights:

Advocacy Project UK Privacy Policy: Access to your personal information and Right to object clauses

For more information, see our article GDPR Privacy Policy Template.

Appoint an EU Representative

Most non-EEA companies operating in the EU will need to appoint an EU Representative. This applies to Swiss companies as well as companies from any other non-EEA country.

An EU Representative acts as your company's main point of contact with the EU. An EU Data Protection Authority can launch legal proceedings against your EU Representative in the event of a GDPR violation.

Your EU Representative:

  • Must be legally established in an EU country
  • Can be an individual or a corporation (such as a law firm)
  • Can act as Representative to multiple companies
  • Must not also serve as your Data Protection Officer (if you have one)

Your EU Representative doesn't need to work directly for your company. You can contract with a third-party company to provide this service for you.

Once you have selected an EU Representative, you'll need to create an Appointment of an EU Representative Letter to make the appointment official.

Not every company needs to appoint an EU Representative. You may be exempt from this requirement if all of the following are true:

  • You rarely process personal data
  • You do not process "special category" (sensitive) data or criminal conviction data
  • You do not process personal data in a way that presents a risk to individuals

Bear in mind that the broad definition of personal data means that most businesses process personal data regularly and, therefore, would not fall under this exemption.

Review Consent Mechanisms

Your company may plan to seek EU consumers' consent for purposes such as direct email marketing or personalized advertising. If so, you should review the ways in which you seek consent in order to meet the EU's high standards.

It's possible that a Swiss company that is compliant with domestic law may be collecting consent in a way that is incompatible with the GDPR. The same is true for companies from countries such as the US and Canada, where data protection law is comparatively weak.

Here's how the Swiss FADP defines consent:

Federal Council of Swiss Government: FADP definition of consent

And here's the GDPR's definition:

EUR-Lex GDPR: Definition of consent

To understand the difference between these two definitions, we must distinguish between two types of consent:

  • Affirmative consent (also known as "express" or "opt-in" consent). A person must actively agree to something, for example by actively ticking a box. This is the type of consent recognized by the GDPR.
  • Implied consent (also known as "inferred" or "opt-out" consent). A person can be deemed to have given their consent, for example by failing to untick a box. This type of consent is recognized in jurisdictions such as Switzerland, the US, and Australia.

Here's an example of implied consent, from Watches of Switzerland:

Watches of Switzerland Cookies Consent Notice

The business infers that it has the user's consent for cookies if the user continues to browse the website. The user can opt out, but does not need to opt in.

Here's an example of express consent, from UK recruitment website Joining the Police:

Joining the Police UK Cookies Consent Notice

The organization requests consent to analytics and marketing cookies, but the cookies are turned "off" by default. Unless the user turns these cookies "on," the website will not set them.

The broad scope of the GDPR means that if your website or app uses non-essential cookies or tracking technologies, you must set up a GDPR-compliant cookie consent solution for EU users.

You should also check your direct marketing sign-up pages for pre-ticked boxes.

However, note that in certain circumstances, it is possible under EU law to send direct marketing to your existing customers without their consent.

For more information, see our article Three-Part Test for Legitimate Interest Under the GDPR.

Implement a Data Breach Strategy

The GDPR has strict rules around what you must do in the event of a data breach. Other jurisdictions, including Switzerland, do not have formal breach notification requirements.

Swiss and other non-EU companies operating in the EU should develop a strategy for responding to data breaches in a quick and GDPR-compliant manner.

Here are the basic rules around responding to a data breach under the GDPR:

  • In the event of a serious data breach that is likely to cause "risk to the rights and freedoms" of individuals, you must inform the relevant Data Protection Authority (DPA) without undue delay, and within 72 hours at the latest.
  • In the event of a very serious data breach likely to cause "high risk to the rights and freedoms" of individuals, you must inform the affected individuals without undue delay.

Businesses may receive fines if they take too long to respond to a breach. One way to avoid delays is to prepare a Data Breach Notification Letter. You can then notify data subjects in a timely way following a very serious breach.

You should also consider creating a Data Breach Policy to ensure that you can mitigate against any potential data breaches. Elements of a Data Breach Policy may include:

  • Internal reporting procedure: Explain how staff should report a data breach within your company.
  • Breach containment measures: Information about shutting down data systems, revoking access rights, notifying the police, etc.
  • Severity assessment process: Steps to determine the extent and seriousness of the breach, and to decide whether to report the breach to the DPA and/or the affected individuals.
  • Risk assessment process: Steps to determine the cause of the breach and the identities of the victims.
  • Evaluation process: Post-breach evaluation of how to avoid recurrence of the breach.

Summary of GDPR Obligations for Swiss and Other Non-EU Businesses

For Swiss and other non-EU companies, you must comply with the GDPR if you wish to operate in the EU.

If you hope to launch EU operations, take these steps towards GDPR-compliance:

  • Amend your Privacy Policy
  • Appoint an EU Representative
  • Review your consent mechanisms
  • Implement a data breach strategy
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.