22 May 2018, author: Jan Kleiner, photo: Helvetia/Jan Kleiner
The General Data Protection Regulation (GDPR) of the European Union came into force on 25 May 2018. This regulation is in fact a set of rules aimed primarily at companies based in the EU. Even so, Swiss companies may also be directly affected. Specifically that means that Swiss companies should check carefully whether they are affected by the regulation. These six questions will help you do that:
1. Do you have a branch office in the EU?
2. Are goods or services offered in the EU?
3. Is the website also aimed at EU citizens?
4. Is your online advertising aimed at citizens in the EU?
5. What about free offers?
6. Do you save your cookies data?
The GDPR is primarily about the processing of personal data. Therefore, if a Swiss company processes personal data in the context of the work of a branch office in the European Union, it falls in principle under the GDPR. It makes no difference whether the data processing itself takes place in the EU or in Switzerland. Departments or «permanent facilities» in general are also considered to be branch offices in this context. The legal form taken by such facilities is of no relevance.
Example: The parent company of a Group does indeed have its head office in Switzerland but it processes employee details of a subsidiary based in the EU, affecting the personal details of employees resident in the EU.
Swiss companies that have neither a head office nor a branch office in the EU can also be affected by the GDPR. All it takes is for goods or services to be offered into the EU – insofar as the data of persons from the EU are processed in this context. Example: A company exports to Italy and records the date of birth of customers from the EU.
The sole fact that a company’s website can also be accessed in the EU is in principle not enough to imply that the company is «offering» goods or services (in terms of the GDPR) to persons in the EU. However, other criteria can be relatively quickly fulfilled: If there is a direct reference on a website to deliveries into the EU (e.g. shipping costs). If the website permits country settings to be chosen which are specifically aimed at citizens from EU countries. If prices are shown in euros on the website or language settings can be chosen specifically for citizens of the EU. Then it cannot be ruled out that «an offer to persons in the EU» is being made and that the GDPR is applicable.
Another clear indication of such an offer to EU citizens would be if the online advertising (e.g. AdWords employed for that purpose) is specifically intended to address citizens resident in an EU member state.
Even services offered free of charge are covered by the GDPR, for example also websites that provide pure information services.
The GDPR can be applied not only to the offer of goods and services but also to the mere monitoring of the behaviour of persons in the EU. In such cases, it is also advisable for a company to clarify more precisely whether the criteria for the applicability of the GDPR are fulfilled and what resulting legal consequences arise.
There may be legal consequences for companies that are affected by the GDPR because the Directive includes new duties. To see precisely that these are, read our article, «EU data protection: new duties for Swiss SMEs».
Helvetia will be happy to help you quickly and easily on matters of data protection with cyber insurance: External legal advisors clarify whether and to what extent it is necessary to report to the authorities and/or the affected parties. In view of the short response times and as a result of the impending fines, Helvetia's cyber insurance can provide protection against high follow-up costs and provide fast, efficient and targeted assistance in the event of a claim.