Data is the capital of the 21st century. We support you in ensuring that you can procure your capital within the legal framework and protect it later.
Protection of your customer and employee data
Data protection contracts
Data protection assessments and GAP analysis
Support with the introduction of a data protection management system (DSMS)
Preparation and review of data protection declarations and data protection contracts
Drafting and negotiating order processing contracts
Data protection - impact assessments
Assumption of the position as external DPO
Support with requests for information and deletion as well as with data mishaps
Representation in supervisory proceedings
Trainings
Contact persons
Publications
The Swiss-U.S. Data Privacy Framework comes into force on September 15, 2024 and enables the transfer of personal data to certified U.S. companies without the need for additional safeguards.
Our lawyers are not only professional when it comes to providing legal advice, but also outside of our office. Since this year, lawyer and specialist lawyer Sven Kohlmeier has been regularly discussing current network policy issues relating to Switzerland in the Digital Society podcast (link).
In the Bilanz Ranking 2024, Wicki Partners AG was once again named the TOP law firm in Switzerland, confirming its position as a specialized commercial law firm. The Handelszeitung, in collaboration with Statista, selected the best law firms from over 29,000 recommendations from clients and colleagues.
Applications of AI solutions in law firms are therefore becoming increasingly widespread, both with regard to the actual activities of lawyers and internal law firm processes. The following article outlines the special considerations that should be taken into account.
Attorney at Law and IT Law Specialist Sven Kohlmeier was one of the participants who gathered in the lecture hall of the University of Zurich on October 26, 2023 to hear how the Federal Data Protection and Information Commissioner Dr. Adrian Lobsiger positions himself some 2 months after the new Swiss Data Protection Act came into force.
On July 10, 2023, the European Commission issued the adequacy decision for data transfers from the EU to the U.S., thus endorsing the EU-U.S. Data Privacy Framework. Find out what this means for Switzerland in our newsletter.
In the Bilanz Ranking 2023, Wicki Partners AG was once again named TOP law firm in Switzerland, confirming its positioning as a specialized commercial law firm. From over 25,000 recommendations from clients and colleagues, the Handelszeitung, in cooperation with Statista, selected the best law firms.
Can a web designer be liable to prosecution in the future when creating websites? Is the office employee responsible for data protection information? Will online store operators have one foot in the door for fines in the future? This article provides answers to questions about the new data protection law.
At the beginning of February 2023, our IT lawyer Sven Kohlmeier answered questions on the panel of the "Swiss Startup Conference" at Trust Square near Paradeplatz in Zurich, Switzerland. Together with Tonia Zimmermann, co-founder of UMushroom, and Michael Dudli, founder and CEO of Xelon, they gave very practical advice for Swiss startups. Nearly 500 participants were present to exchange ideas and network.
The turn of the year is not only the opportunity to review the previous year or to prepare and perform the legal obligations such as the preparation of the balance sheet and income statement. The turn of the year is also always a preview of the legal changes that are to come in the new year. It is one of the duties of every business owner, board of directors or managing director to be aware of legal changes and to carry out any necessary risk assessments or to initiate measures to implement legal requirements. We would like to give you an overview of the legal changes - many times we have reported on them in detailed articles during the year. You can find everything in compact form here.
In ruling BGer 4A_277/2020, the Federal Supreme Court ruled that the assertion of the right to information under Art. 8 DPA for the purpose of clarifying the prospects of litigation is an abuse of rights and must therefore be rejected. The question arises as to how this decision will affect areas other than corporate law, namely employment law disputes.
Cyber attacks on corporate and administrative data are regrettably part of everyday life in the age of digitalization. Often, the public and the people affected either do not learn about such incidents at all or learn about them very late, partly because they fear damage to their reputation. However, it is essential to respond appropriately to such cyber attacks.
In the first article in our series on the data protection revision, we showed you which changes are associated with the revision. In the following, we provide you with recommendations on how to respond to these changes.
Sven Kohlmeier spoke at the conference about Cybersecurity Best Practices and Considerations in the Time of Covid. In particular, attacks with so-called ransomware (blackmail Trojans, crypto-Trojans, extortion software) pose a considerable threat, especially for companies. Especially in times of home office and teleworking, basic cyber security measures must therefore be observed.
In less than a year, on September 1, 2023, the new Swiss Data Protection Act (revDSG) will come into force. We would like to give you an overview of the new features of the revDSG and any necessary adjustments in your company.
In the final straight, the total revision of the Data Protection Act came to a standstill once again, as the National Council and the Council of States did not quite agree on some details. Today, the parliament finally got the draft law over the finish line.
As a result, the total revision is a moderate renewal and approximation to the GDPR, but less strict and comprehensive than originally envisaged.
The employer's access to e-mail addresses in the name of an employee is problematic from the point of view of personal rights and data protection and must be regulated in a set of rules.
After almost two years of the GDPR, the fines from the regulators are starting to pile up. Buying or merging with a company that lacks proper cybersecurity, or one that is not in compliance with the GDPR, becomes a considerable risk. For instance, Marriott was fined £99 million by the Information Commissioner's Office (ICO), which is the UK regulator, after hackers stole the guest records of the Starwood Hotels & Resorts Worldwide that it had acquired. A study by Merrill Corporation has shown that over half (55%) of practitioners surveyed across EMEA said they had worked on M&A transactions that had not progressed because of concerns around a target company's data protection and compliance with GDPR. Therefore, non - compliance with GDPR can become a serious issue for the seller.
In a recent article in Data Protection for Practitioners, Yves Gogniat looks at IoT, wearables, smart devices and other connected devices. Under the title "Can I collect personal data through connected devices without consent?", he explores the questions to what extent the consent of the data subject is necessary for the use of connected devices and how to deal with connected devices that do not have their own interface.
The article is available here.
The National Council's State Policy Committee (SPK-NR) has concluded its deliberations on the bill for the total revision of the Data Protection Act(17.059). However, the bill was only narrowly adopted, by the casting vote of the president, after nine votes to nine with seven abstentions. It shows that there is still no agreement among the various interest groups and that the revision of the law will therefore take longer than originally planned. In addition, the Commission decided that the new law should only come into force after a transitional period of two years. This would mean that we will probably not have a new data protection law until around 2022/2023.
Fashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.
The ECJ has ruled that Facebook's "Like" button was not implemented in a data protection-compliant manner and that the website operator bears joint responsibility for such plugins.
A Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).
Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.
Until now, EU Data Protection Laws have only applied to companies with a presence in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, with the consequence that the new law not only affects companies within the EU, but also countries outside of its borders. In certain situations, the GDPR is also applicable to companies (controllers) outside of the EU.
The potential cross-border applicability has left many companies outside the EU confused, and it has led to uncertainty.
Until now, EU data protection law only applied to companies that had an establishment in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, which means that the new law potentially affects not only companies in the EU. The scope of the law also covers companies outside the EU under certain conditions. In particular, Swiss companies that are often active in the EU could be affected by the GDPR.
This cross-border applicability has led to uncertainty for many companies outside the EU.
Who is not familiar with the annoying advertising calls from some - often dubious - companies trying to sell you a new telephone subscription, a change of health insurance, online trading or other goods or services.