The General Data Protection Regulation (GDPR or EU-Datenschutzgrundverordnung / DSGVO), is directly applicable from 25 Mai 2018 in all EU-member countries. The potentially severe sanctions pursuant to the GDPR are considered to be very menacing. Penalties may reach up to 4% of the worldwide turnover or EUR 20 Mio in maximum.
Application of the DSGVO is not limited to the territory of the EU. It also may apply to data processing in Switzerland. In this sense it is understood that the DSGVO has extraterritorial effect. Swiss companies namely have to apply the DSGVO, in case they have a subsidiary in the EU territory or if date processing is related to persons in the EU; such as offering goods or services to such persons or tracking their client behavior. Uncertainties are existing with regard to the interpretation of the said criteria and, accordingly, a broad range of interpretation has to be expected.
However, Swiss companies may not qualify the DSGVO as being irrelevant for them. They have to take care of their data processing and assure what kind of data is processed. In addition, they should do a risk analysis in the sense of the DSGVO and should also establish a control mechanism and control systems.
The Swiss Data Protection law (DSG) is about to be revised in total. It is not expected that it will be in force before the beginning of 2019. The revised DSG is related to the DSGVO but will contain in the present draft some “Swiss Finishes”, which make it to an independent legal basis.
It may be helpful to uses tools developed in practice, such as the online data processing Check of economiesuisse or the forms of www.dsat.ch. In many cases, it will be worth to carry out in particular deeper analysis and assessments.