Why it is worthwhile to process Swiss personal data in Switzerland
Global increasing data protection regulation
Many companies are facing new and increasingly strict data protection regulations due to rising regulation. For companies in Switzerland, the EU General Data Protection Regulation (GDPR) has been a major challenge since 2018. Although the EU can generally only legislate and enforce laws within its own territory (principle of territoriality), it has demanded global compliance with its new data protection rules, fully aware that in times of digitalization, regulations applicable only to EU companies would primarily represent a competitive disadvantage rather than an enhancement of the protection of affected individuals.
At many companies in Switzerland – both at local firms and corporations as well as at Swiss subsidiaries of international corporations – data protection compliance projects were subsequently initiated to align processing activities with the requirements of the GDPR. In many places, it was forgotten or ignored that for most companies in Switzerland, the GDPR does not apply at all, as none of the cases of extraterritorial effect mentioned in the law are present.
(Non-)Applicability of the GDPR in Switzerland
The GDPR applies to Swiss companies only if, on the one hand, personal data of individuals located in the Union is processed and, on the other hand, the processing is related to either
a. such persons are offered goods or services; or
b. such individuals are observed in their behavior.
In all other cases, the GDPR is not applicable outside the EU. This also applies specifically to Swiss subsidiaries of international corporations, meaning: just because the parent company falls under the GDPR, the Swiss subsidiaries do not necessarily have to comply with EU data protection law, as long as they do not specifically offer services in the EU or engage in behavioral monitoring there. And even if they do, the requirements of the GDPR only apply to data relating to individuals who are in the Union and not to those of individuals who are in Switzerland.
Avoid risks, do not unnecessarily restrict room for maneuver
What does this mean concretely? It means that international corporations also have the opportunity to specifically exclude their processing of personal data concerning individuals in Switzerland from the scope of the GDPR and instead comply (only) with the current (or the revised Swiss data protection law that is expected to come into effect in the next 1-2 years). A prerequisite for this is that the data processing processes are designed accordingly, particularly that the data storage or processing takes place in Switzerland, rather than being centralized or outsourced in the EU.
There are many conceivable reasons for such data storage and processing in Switzerland. In particular, risks can be avoided (e.g., high data protection fines), and the existing scope for action in Switzerland is not unnecessarily restricted. Fundamentally, there is a liberal attitude towards personal data processing in Switzerland, which generally allows personal data processing and only prohibits it in certain cases (permission with a prohibition clause), whereas in the EU there is a general prohibition on personal data processing with the exception that processing is permitted in certain cases (prohibition with a permission clause). Additionally, the following points also support keeping data processing in Switzerland:
The data protection law is significantly less strict, even after the revision currently pending in Parliament. The following comparison refers to the revised data protection law according to the current status (August 2020), in particular:
the maximum fines are significantly (!) lower:
CH: CHF 250'000.-,
EU: EUR 20,000,000 or 4% of the worldwide revenue from the previous year
In Switzerland, data breaches (data leaks) must be reported as quickly as possible, but there is no fixed deadline for doing so, and violations of the reporting deadline are not subject to a fine. In contrast, the EU has a strict deadline of 72 hours, and violations can result in fines of up to EUR 10,000,000 or 2% of annual revenue.
the order data processing is much easier
CH: almost no legal requirements regarding order data processing
EU: very many content requirements down to the details
there is more room for maneuver in direct marketing
EU: more restricted by GDPR, continuously tightened by regulatory practices and case law in all EU/EEA countries as well as the CJEU
it is easier to obtain consent
CH: Consent is also possible within the framework of GTC (with certain exceptions), no general coupling prohibition
EU: Consent must be obtained separately from other matters, general coupling prohibition
there are fewer rights of the affected and information obligations in Switzerland.
The obstacles or uncertainties of international data transfers do not exist in the internal relationship
Transmitting personal data abroad always depends on having an adequate level of data protection in the foreign country. Transmission to the EU is currently possible without additional protective measures, but this can change, as has recently happened in the EU-US relationship due to the judicial annulment of the Privacy Shield agreement. Additionally, transmissions to the USA have become more difficult from Switzerland since September 8, 2020, after the Federal Data Protection and Information Commissioner (FDPIC) deemed the Swiss-US Privacy Shield inadequate.
It is conceivable, for example, that the EU no longer considers Switzerland a safe country for data transfers due to the protracted data protection revision, and in return, Switzerland denies the EU this status. Transfers of personal data would then only be possible if additional protective measures are implemented, such as the conclusion of standard contractual clauses for data protection.
In the EU, the ePrivacy Regulation is already indicating a more extensive regulation, and the case law regarding cookies is continuously leading to stricter requirements. In Switzerland, there are currently no similar efforts underway, either regarding ePrivacy or cookies.
In Switzerland, there is significantly less and more pragmatic government activity:
Data protection authority (so far) significantly less active than counterparts in Germany, Austria, France, or other comparable EU countries. The Swiss data protection authority also sees itself as one that advises and supports companies, and not just as an enforcement authority.
Oversight practices of the data protection authority are manageable, as there is only a single authority with significantly less staff compared to the EU (in Germany alone there are already 16 authorities, and a total of 35 across the EU/EEA)
Swiss providers cover local legal and regulatory requirements and are familiar with them in detail:
Switzerland is not a member of the EU/EEA and has independent laws that must be observed when advertising to individuals in Switzerland
Swiss providers are familiar with the requirements of Swiss law and jurisprudence, particularly the regulations on direct marketing or mass advertising in Switzerland that differ from those of the EU (Federal Act against Unfair Competition, Swiss Cookie Legislation, supervisory practices of the Swiss Data Protection Authority)
Swiss providers also bring a wealth of experience regarding local customs and are closer to the pulse of the local population.
The Swiss legislation generally enjoys a good reputation and offers high reliability, particularly due to a pragmatic legislator who takes the needs of the economy into account and a predictable legislative process.
Not least, one often observes a better acceptance of Swiss providers among end customers (e.g., Swiss German in telemarketing, sender addresses in Switzerland, etc.)
Why data storage and processing in Switzerland is crucial
It is important that the data processing within the group is separated in this regard and that the data sets concerning individuals in Switzerland are actually processed in Switzerland. Because if the Swiss subsidiary outsources its data processing to the parent company (or a provider) in the EU, the GDPR will apply to the processing there as well. In other words, this means that the GDPR applies to data sets that would be subject to much less extensive restrictions without the outsourcing to the EU, thereby exposing the group to unnecessary risks and voluntarily limiting existing leeway.
A concrete example for illustration: A supplier of a Swiss company is hacked, and a larger dataset is downloaded by the attackers. Among the data are personal data of Swiss customers of the Swiss company, including delivery addresses and credit card information. If the supplier, for example, is the German parent company, the GDPR also applies to this personal data of Swiss customers, along with the 72-hour notification period and the potential fine of up to EUR 10,000,000. However, if the supplier is a Swiss company, the GDPR does not apply to this personal data of Swiss customers, and the data breach must be reported as soon as possible, with a violation of the notification period not resulting in any fines.
Under these circumstances, it is advisable for all Swiss companies and corporations with Swiss subsidiaries to carefully consider whether they really want to outsource their processing of "Swiss" personal data to EU companies or if it would be better to choose a Swiss provider.
Author: Kaj Seidl-Nussbaumer / Probst and Partner on behalf of pdc Marketing + Information Technology AG
Written: September 10, 2020