On April 14, 2016 the EU Parliament adopted the new EU Data Protection Regulation (PDF, 0.9 Mb) ("GDPR") which will become binding in all member states in 2018. The extraterritorial character of this new regulation will also impact Swiss companies. In Switzerland a working group on data protection will submit a report to the Federal Council by the end of August 2016 which may lead to an update of Swiss local data protection regulation as well.
What is new?
The GDPR provides several new obligations that companies have to fulfil. Some of the more relevant rules are listed below:
- Obligation to notify supervisory authorities in case of a personal data breach within 72 hours (Art. 33 GDPR) and obligation to notify data subject in case of high risk. Both will significantly increase the risk of potential reputational damages.
- Designation of a data protection officer with documentation and reporting obligations (Art. 37 GDPR).
- Privacy by design and by default (Art. 25 GDPR).
- Big Data: Data protection impact assessment and prior consultation (Art. 35 GDPR).
- Prohibition of coupling of consent (Art. 7.4 GDPR).
- Expansion of rights of the persons concerned (customer).
- Outsourcing of data processing to be governed by a contract or other legal act under Union or Member State law. Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to ensure protection of the rights of the data subject (e.g. ePrivacySeal; Art. 28.1 GDPR).
- Processor shall not engage a sub-processor without written authorization of the controller (Art. 28.2 GDPR).
- Foreign companies have to assign in writing a representative in the Union (Art. 27.1 GDPR).
- Right to data portability (Art. 20 GDPR).
The EU strengthens data protection rules. Civil liability will be increased especially for data processors. Significant fines will be introduced. Companies will face a fine up to 4% of their yearly global revenue; natural persons can be fined up to 20 mio Euros.
There is also positive news:
- A group of undertakings can assign one group data protection officer (Art. 37.2 GDRP) and can benefit from binding corporate rules (Art. 47 GDPR).
- Private certification bodies can provide data protection certificates (data protection certification and data protection seals; Art. 42 GDPR).
- Consistency of data protection regulation within the EU: Primacy of the GDPR over national law of member states; European Data Protection Board ensures uniform application of the GDPR.
- Right to erasure - "right to be forgotten" (Art. 17 GDPR).
What is important for Swiss companies?
The new European General Data Protection Regulation will not only apply within the EU (establishment principle) but has an extraterritorial character (market principle).
- Establishment principle: According to Article 3.1 the GDRP applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- Market principle: According to Article 3.2 the GDPR applies also to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union. This in cases where the processing activities are related either to the offering of goods or services to such data subjects in the Union, or if activities are related to the monitoring of the behavior, as far as their behavior takes place within the Union. Therefore, the GDPR is not only relevant for companies or data processors established in the Union but also for Swiss companies with ties to the European market.
How to prepare (and when)?
Action Item 1 (immediately):
- Data protection has to become a top priority of the Board of Director's agenda. Data protection is one of the compliance topics that have to be sufficiently addressed and documented (risk based approach)
Action Item 2 (2016):
- Already today we recommend the designation of an internal or external data protection officer. This data protection officer should conduct a GDPR risk and impact analysis. In particular, it is necessary to analyze whether and to what extend personal and behavioral data is collected and processed while offering goods and services to EU citizens.
Action Item 3 (2017):
- Not in the sense of anticipatory obedience, but in the sense of foresighted action Swiss companies should be prepared that the new EU data protection standard will have influence on Swiss legislation. The extraterritorial character of the GDPR will require many multinationals to incorporate this new standard in many third countries.
Data protection as competitive advantage: Auditing and certification
If a company is investing in data protection, even if forced to do so, it should use this also in market communication.
Article 42 GDPR encourages companies to apply for a data protection certification to demonstrate compliance with the GDPR. So far Swiss companies had only the possibility to certify their organisation and systems as a whole, either according to EN 27001 (EN 27018) or by requesting an official certification according to article 11 of the Swiss Data Protection Act. Possibilities for a data protection certification of a specific product or service like an App, web shop or cloud service were very limited.
MME closes this gap and offers in cooperation with the German ePrivacy GmbH and the Swiss based Infoguard AG the ePrivacySeal. The ePrivacySeal confirms compliance with the ePrivacySeal data protection criteria catalogue which is based on the EU and Swiss data protection regulations.
A certification follows a standardized process. An initial scoping workshop will be followed by a technical analysis and a report by Infoguard AG. In a second step MME will conduct a legal analysis and will provide a report on compliance with data protection regulation and benchmarking with international best practice. In case all regulatory and technical requirements are met, the company will receive the ePrivacySeal for the subject product. A re-certification has to be conducted every two years.
The ePrivacySeal is already used by several reputable companies in Germany to confirm compliance with data protection regulations internally and to communicate this also to customer and partners: Data protection as competitive advantage! Certification of data protection will become an online- and mobile product quality feature and can support Swiss companies today to comply with data protection regulation of tomorrow.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.