Cookies and third-party cookies are activated on this page in order to offer you the best possible service and to provide information and offers. By using the Internet pages of Helvetia, you declare your agreement and consent to data processing by Helvetia. Further information - including how to deactivate cookies - can be found in the Privacy Policy.

  • I am interested in
    The “Search” function is not available at the moment, please try again later.
    Please get in contact with us. To contact form
Company inventory
Liability & law

EU data protection: Answers for Swiss SMEs

The General Data Protection Regulation of the European Union came into force on 25 May 2018. By answering six questions you can work out whether your company is affected.

22 May 2018, author: Jan Kleiner, photo: Helvetia/Jan Kleiner

Two Men and a woman climb stairs in an office.
With these six questions you can check whether your company is affected by the new EU General Data Protection Regulation.

The General Data Protection Regulation (GDPR) of the European Union came into force on 25 May 2018. This regulation is in fact a set of rules aimed primarily at companies based in the EU. Even so, Swiss companies may also be directly affected. Specifically that means that Swiss companies should check carefully whether they are affected by the regulation. These six questions will help you do that:

1. Do you have a branch office in the EU?
2. Are goods or services offered in the EU?
3. Is the website also aimed at EU citizens?
4. Is your online advertising aimed at citizens in the EU?
5. What about free offers?
6. Do you save your cookies data?

1. Do you have a branch office in the EU?

The GDPR is primarily about the processing of personal data. Therefore, if a Swiss company processes personal data in the context of the work of a branch office in the European Union, it falls in principle under the GDPR. It makes no difference whether the data processing itself takes place in the EU or in Switzerland. Departments or «permanent facilities» in general are also considered to be branch offices in this context. The legal form taken by such facilities is of no relevance.

Example: The parent company of a Group does indeed have its head office in Switzerland but it processes employee details of a subsidiary based in the EU, affecting the personal details of employees resident in the EU.

2. Are goods or services offered in the EU?

Swiss companies that have neither a head office nor a branch office in the EU can also be affected by the GDPR. All it takes is for goods or services to be offered into the EU – insofar as the data of persons from the EU are processed in this context. Example: A company exports to Italy and records the date of birth of customers from the EU.

3. Is the website also aimed at EU citizens?

The sole fact that a company’s website can also be accessed in the EU is in principle not enough to imply that the company is «offering» goods or services (in terms of the GDPR) to persons in the EU. However, other criteria can be relatively quickly fulfilled: If there is a direct reference on a website to deliveries into the EU (e.g. shipping costs). If the website permits country settings to be chosen which are specifically aimed at citizens from EU countries. If prices are shown in euros on the website or language settings can be chosen specifically for citizens of the EU. Then it cannot be ruled out that «an offer to persons in the EU» is being made and that the GDPR is applicable.

4. Is your online advertising aimed at citizens in the EU?

Another clear indication of such an offer to EU citizens would be if the online advertising (e.g. AdWords employed for that purpose) is specifically intended to address citizens resident in an EU member state.

5. What about free offers?

Even services offered free of charge are covered by the GDPR, for example also websites that provide pure information services.

6. Do you save your cookies data?

The GDPR can be applied not only to the offer of goods and services but also to the mere monitoring of the behaviour of persons in the EU. In such cases, it is also advisable for a company to clarify more precisely whether the criteria for the applicability of the GDPR are fulfilled and what resulting legal consequences arise.

Example: A website that is accessed from the EU and uses cookies that record personal data.

Information for affected companies

There may be legal consequences for companies that are affected by the GDPR because the Directive includes new duties. To see precisely that these are, read our article, «EU data protection: new duties for Swiss SMEs».

Well protected with cyber insurance

Helvetia will be happy to help you quickly and easily on matters of data protection with cyber insurance: External legal advisors clarify whether and to what extent it is necessary to report to the authorities and/or the affected parties. In view of the short response times and as a result of the impending fines, Helvetia's cyber insurance can provide protection against high follow-up costs and provide fast, efficient and targeted assistance in the event of a claim.

Jan Kleiner

Jan Kleiner works as a solicitor in Zurich. He is a specialist in such questions as data protection. As part of the Helvetia network, he also advises Helvetia's cyber insurance customers.

Recommend this page
Please check your internet connection