Until now, EU data protection law only applied to companies that had a presence in the EU and processed personal data there. The new General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018, deviates from this principle, with the result that the new law potentially affects not only companies in the EU. The scope of the law now also covers companies outside the EU under certain conditions. Swiss companies in particular, many of which operate in the EU, should definitely check before 25 May whether they will in future be covered by EU data protection law and thus be affected by it. This contribution is therefore primarily aimed at companies operating outside the EU.

General information about GDPR can also be found in this article:
General Data Protection Regulation (GDPR 2018) erklärt

Is my company affected by the GDPR?

The GDPR distinguishes between two criteria:

There is a branch in the EU (Art. 3 (1) GDPR)

A non-EU company has a branch or subsidiary in the EU. This also includes data processing as an order processor for a company from the EU. This criterion has already applied and is therefore not new.

The target market is in the EU (Art. 3 (2) GDPR)

The GDPR now also applies if data processing does not take place within the EU but a person established in the EU is affected by data processing, i.e. as soon as services or goods are offered in the EU, the GDPR generally applies.

Examples:

• There is an online presence which is also aimed at customers in the EU.
• Web tracking (e.g. cookies) is operated, which also covers residents of the EU.
• The online shop is also open to EU customers.
• There is a distribution network in the EU and close cooperation with agents. Customer data is exchanged in the process.

What are the consequences if I do nothing?

If the first question is answered with Yes, the question of the consequences for non-compliance with the new rules usually arises immediately. In many cases, an SME does not have a large compliance budget, which is why priorities have to be set on the basis of a risk analysis.

Unless you are working in a sensitive or particularly exposed area, the data protection risk has usually not been very high up to now. The penalties or fines have so far not been particularly severe, which has prompted many companies not to pay particular attention to the issue.

The legislator has taken this fact into account in the GDPR and drastically increased the powers of the supervisory authorities as well as the financial consequences. In future, it will no longer be a trivial offence to ignore data protection.

In contrast to Swiss law, the GDPR allows fines to be imposed. If milder means (e.g. warnings) are no longer sufficient or it concerns a particularly serious case, serious fines can be imposed. A fine can amount to up to 20 million euros or 4 percent of a total annual turnover. Further civil claims are also possible.

Due to the potentially significant financial consequences, more attention should be paid to data protection and at least a risk assessment should be carried out and corresponding rules implemented.

What are the main differences to other countries?

Most countries already have a strong data protection law, which is why the issue should not be completely new for most companies and minimal regulations often already exist.

Main differences

• Higher requirements for consent to data processing.
• Data breaches must be reported to the supervisory authorities and, if necessary, to the persons concerned (data breach notfication).
• There is a right to data portability.
• There is a right to oblivion.
• Further information and correction rights.
• Different requirements for the appointment of an internal data protection officer.
• Companies outside the EU must appoint a representative.
• Data protection through Privacy by Design and Default.
• Stricter sanctions and fines.

What is the best way to address the issue?

As a first step, an investigation about the current state should be carried out; the following questions can help:

• Which personal data is processed in the company?
• Are personal data of persons established in the EU processed?
• Are personal data exchanged across borders?
• Which regulations, data protection regulations, instructions, etc. already exist?
• Are the employees already trained and sensitized?
• Are third parties (sales partners, external IT support, etc.) obliged to comply with data protection regulations?
• Is data security guaranteed in addition to data protection?
• Is data processing communicated in a sufficiently transparent manner?
• Are existing consents sufficient for data processing?

Notes on checking the basis for data processing

In the B2C area, a justification is necessary for personal data to be stored and processed. In many cases, the direct consent of the person concerned is required. The requirements here have increased, the consent to data processing must be formulated simply and comprehensibly, and the individual purpose of data processing must be clear. It must also be easy to withdraw consent. If no detailed information about the natural persons of the customer (employee) is recorded in the B2B area, no consent is necessary, since it concerns data of legal persons. An individual check must be made in each case.

The current basis or consent for data processing must be checked for GDPR compatibility.

Notes on the amendment of regulations, directives, etc.

First of all, it should be noted that the creation of a rule is usually the simple part. The more difficult part is usually to communicate the content to the employees in an understandable and sustainable manner. The rules should therefore correspond to the corporate culture and be formulated as simply and comprehensibly as possible. The respective hierarchical level, the level of education and the effective area of responsibility of the person should also be taken into account.

If regulations already exist, they can be used as a basis and revised. In some cases, however, new processes have to be created, for example, very few companies will already be familiar with a data break process.

When must a data protection officer be appointed?

If data processing forms the main activity or if personal data are processed regularly and systematically, then a data protection officer must be appointed. Further information on the data protection officer can be found here.

When must a data protection representative be appointed?

If no data protection officer is required, it may be necessary to appoint a data protection representative. Companies which are not established in the EU but to which the GDPR applies as a result of the direction of their activities are generally obliged to appoint a data protection representative. Its main function is to provide the supervisory authorities with effective access to the company within the European Union. The data protection representative serves as a contact point for the supervisory authorities to ensure compliance with the provisions of the GDPR.

Useful Links about GDPR:

• General Data Protection Regulation (GDPR) Law text
• 29 Working Party
• European Data Protection Supervisor
• IAPP

Yves Gogniat

Yves Gogniat ist Experte für Informations- und Technologierecht mit den Schwerpunkten Datenschutz und IT-, Vertrags- und Gesellschaftsrecht. Er verfügt über ein breites Wissen in den Bereichen Blockchain-Technologie, Krypto-Währungen und hat seine Erfahrungen in verschiedenen Kanzleien sowie in der öffentlichen Verwaltung gesammelt.