Is GDPR (EU 2016/679) applicable for Swiss organizations?
Since General Data Privacy Regulation (GDPR) is coming from EU (will be in power in May 2018), one might easily presume that it would not affect Swiss organizations and Switzerland in general. This is not true though.
A company might not be based within EU but might as well be offering products or services to EU either directly (from the Swiss offices) or indirectly (from a local affiliate/subsidiary). That said, every organization that shall possess, process or monitor personal data (online or offline) belonging to EU data subjects is within scope, even if they are only located in Switzerland.
It is safe to say that EU regulation regarding GDPR is not just an EU matter anymore, but also touches upon the appropriate data handling by Swiss organizations.
In order to get a better understanding of potential cases of Swiss organizations falling within GDPR scope, here are some indicative and certainly not exhaustive list of cases :
- A Swiss based organisation offering services to EU data subjects;
- A Swiss organization offering goods online to EU and its data subjects;
- A Swiss based organization that processes data in an EU country;
- An EU based affiliate/subsidiary of a Swiss organization collecting and processing data of its employees.
How is the Data Protection Regulation currently being handled in Switzerland?
“The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply to the processing of data pertaining to natural persons and legal persons by private persons (whether natural persons or legal entities) and federal bodies (Article 2, section 1, FADP).
Cantonal data protection acts apply to the processing of data by cantonal bodies.”
The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply to personal data processing, that is, any operation with personal data, irrespective of the means applied and the procedure, and in particular the (Article 3(e), FADP), the regulated actions regarding data processing refer to the following actions:
- Collection
- Storage
- Use
- Revision
- Disclosure
- Archiving
- Destruction
What should you do for GDPR?
You should know by now that your organization could be impacted by the EU GDPR by May 2018. There are a number of actions you could take though, in order to minimize the potential impact deriving from a GDPR compliance failure. Initially, you should analyze exactly what the impact could be for your organization in terms of operations, financials and reputation. In the case that you do not seem to clearly be within the EU GDPR scope at this point in time, you still need to pay good attention to the regulation related to data protection. Since the Swiss Act on Federal Data Protection is already in place and certainly relevant to your organization, you need to be aware of the potential impact and its implications to your business, well in advance.
As the overall effort to implement such a regulation for your organization is quite high, you could make use of Resilience Guard professional services to armor your business. Contact us today to discuss how we can support your efforts.