Need for action on data protection by 25 May 2018
The legal framework for data protection is changing dramatically, forcing companies in the EU and third countries to adapt. On May 25, 2018, the new basic data protection regulation will take effect with significant changes. However, many companies, especially in third countries such as Switzerland, are not yet aware that this new set of rules directly affects them, even if the national data protection law in Switzerland (still) remains unchanged. And this despite the maximum fines of a threatening 4% of annual turnover or 20 million euros.
EU basic regulation also applies in Switzerland
With the new basic data protection regulation, the EU is creating a uniform legal basis for the entire EU and harmonising the previously national legislations. In addition to harmonization, however, the EU also pursued the goal of creating a means of combating companies in third countries that store or process data of persons residing in the EU. However, what is primarily aimed at Google, Facebook and Co. now ultimately affects all companies that also store or process data of EU persons in the course of their business activities. This includes, for example, guidance in a CRM (Customer Relationship Management) system, the recording of website visit data or the maintenance of EU natural persons in the accounts receivable master. Strictly speaking, the market place principle applies to the applicability of the respective data protection law. But thanks to the Internet, services are considered to be provided at the customer's location, even if they are provided in Switzerland. In short: practically every company that does business with people in the EU is already directly affected.
From 25 May 2018, the EU GDPR will therefore not only apply in the EU. Companies in third countries such as Switzerland must now also have implemented the national data protection law and the new EU requirements in parallel.
Implementation under difficult conditions
Over the next few years, Switzerland will adapt its national legislation to that of the EU in order to remain classified by the EU Commission as a third country with comparable data protection. This is particularly important for IT companies based in Switzerland to remain competitive in the EU.
The IT implementation, on the other hand, may be even more complicated than the legal adaptation. This is because on 25 January 2017, the US President declared by decree the repeal or restriction of US data protection law for foreigners (cf. c't of 18 April 2017: "Raus aus den US-Clouds"). This will in all likelihood also torpedo the EU-US and Swiss-US Privacy Shield, which only came into force in the summer of 2016, and ultimately probably bury it again after only a few months.
Update July 28, 2020how was the EU-U.S. Privacy Shield repealed by the European Court of Justice on 14 July.
But which company in Switzerland does not purchase services from American IT companies or has not already - consciously or unconsciously through pragmatic employees - exchanged data via dropbox or similar solutions?
Which requirements are to be implemented?
For us, this is a reason to examine the basic data protection regulation more closely in a series of articles over the next few weeks.
- In part 1 of the series we introduce the different actors and set the framework.
- Part 2 examines the principles of data protection based on four pillars.
- Part 3 explained the specific requirements for the processing of special categories of personal data and for profiling, which is considered as particularly critical.
- Part 4 examines legally privileged, desired processing methods.
- Part 5 of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.
About linkyard
linkyard is specialized in the realization of software solutions with high security requirements and the professional support of IT procurement processes. Especially for the correct and economical implementation of data protection requirements in IT systems an iterative interaction of IT security specialists like linkyard and a specialized lawyer proves to be advantageous. Because the search for the most cost-effective and at the same time legally compliant solution often requires the elaboration and evaluation of different implementation variants and the first best solution usually undergoes some adjustments. We would also be pleased to accompany your project.