Various laws and decrees are applicable to Swiss data protection, in particular the Swiss Data Protection Act. As of 25 May 2018, the GDPR (General Data Protection Regulation) of the European Union will also apply.

The aim of data protection is not the protection of personal data itself, but of the personal rights of natural persons and, in Switzerland, also of legal entities. Personal data is understood to be all information that relates to a specific or identifiable person, i.e. if it is possible to draw conclusions about a person without considerable effort (in some cases also IP addresses or cookies). Sensitive personal data is data whose processing poses a particularly high risk of personality violations. "These include religious, ideological or political views, health, race, administrative or criminal prosecutions and sanctions, or so-called personality profiles," says Sergio Leemann, lic. iur., attorney-at-law, partner at Wicki Partners AG. The term "processing of personal data" is very broad and includes all activities, i.e. the collection and storage of personal data.

Safety must be guaranteed

In the field of data protection, principles for data processing have emerged over the past decades which must be observed. The collection, use and transfer of personal data as well as the purpose of the processing must be lawful and comprehensible. "The quality and quantity of the data collected must be suitable for achieving the purpose. To this end, they must be correct and up-to-date and must not be stored longer than necessary," says Leemann. Adequate security must always be ensured in processing, he adds, as well as protection against unauthorised or unlawful processing through technical and organisational measures. In addition, transfer to countries where the level of data protection does not correspond to that in Switzerland (e.g. the USA) is not permitted.

"The GDPR requires that any person from whom personal data is collected must explicitly consent
to the use of their personal data."

Sergio Leemann

EU goes one step further

However, the GDPR, the General Data Protection Regulation of the European Union, goes one step further and also regulates the export of personal data to countries outside the European Union. Companies that store or process personal data of EU residents must comply with the GDPR guidelines from 25 May 2018. "The GDPR requires that every person from whom personal data is collected must explicitly consent to the use of his or her personal data and has the right to know which of his or her personal data a company uses and for what purposes," says Leemann. Every person has the right to have their data deleted or to have their personal data transferred, which companies must ensure through appropriate technical measures.

Reporting incidents within 72 hours

In the future, companies must report security incidents to the responsible authorities as well as the affected persons within 72 hours of becoming aware of them. For this purpose, the corresponding technical and organisational measures must be taken. In addition, a data protection impact assessment must be carried out to assess the risks for data subjects and to inform what measures the company is taking to minimise any risks that may have arisen. "Companies that store or process large amounts of personal data will also be required to appoint a data protection officer to monitor and ensure both the data protection strategy and compliance with applicable laws," says Leemann. In the event of violations of the GDPR, companies can face fines of up to 20 million euros - or four percent of the group's total global turnover.

Challenge for companies

The big challenge for Swiss companies is, on the one hand, to clarify to what extent the GDPR is applicable to the company at all and, on the other hand, that new organisations, mechanisms and procedures have to be introduced. In addition, it is known that Switzerland is working on a new data protection law that will be strongly based on the GDPR, but its entry into force has been postponed until an unknown time.

Wicki Partners helps companies to implement the GDPR. Together with the companies, assessments are carried out and strategies tailored to the respective company are developed in order to optimally ensure compliance in data protection.

This article was written by RA Sergio Leemann.