GDPR and other data protection regulations

Implications of the GDPR for Swiss undertakings

What is GDPR all about?

The EU’s General Data Protection Regulation (GDPR), in force as of 25 May 2018, is designed to give natural persons residing in the European Union greater control of their personal data.

The GDPR has extraterritorial application, meaning that it can also apply outside the EU if certain conditions are met.

Kurz und knapp

Points of contact with and implications for Switzerland

Relevant criteria which make the GDPR applicable in Switzerland:

  • Target audience in the EU: processing of personal data of persons residing in the EU by a bank/asset manager based in Switzerland
  • Establishment in the EU: processing of personal data in connection with the activities of a branch of a Swiss undertaking in the EU

EU General Data Protection Regulation (GDPR)

GDPR requirements and services

Principles of data processing


  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
  • Data protection by design and by default *

Our services:

  • Advising on the personal data that can be processed (legal basis), ascertaining the data protection officer and checking compliance with all the relevant (and sometimes contradictory) provisions of the law
  • Ascertaining requirements for implementing or adapting processes and procedures, including developing the necessary tools to enable an undertaking to incorporate the data processing rules
  • Processing personal data across different industries and sectors
  • Processing personal employee data (HR)
  • Automated decisionmaking (ADM) and profiling
  • Checking legal regulations in connection with data security (anonymisation, pseudonymisation, encryption, etc.)
  • Meeting accountability requirements

Rights of data subjects


  • Data subjects’ rights of access
  • Right to withdraw consent *
  • Right to rectification *
  • Right to data portability *
  • Right to object to processing of personal data *
  • Right not to be subject to an automated decisionmaking process (including profiling) *
  • Right to erasure *
  • Right to restriction of processing *

Our services:

  • Clarifying and implementing the rights of data subjects (e.g. access rights and right to erasure of data)
  • Implementing effective processes to ensure that the mandate is adequately scaled; its scope must be defined clearly and precisely
  • Analysing data sources and their use: view or taxonomy of databases, business and IT perspective (system-specific view of personal data)
  • Clarifying and designing the approach for handling unstructured data, e.g. data from free-format text fields, PDFs and other documents that are difficult to identify and access

Data transfers


  • Transfer within a group of undertakings
  • Transfer to other undertakings (third parties)
  • Transfer in connection with court proceedings and investigations

Our services:

  • Ascertaining what personal data are to be transferred to third parties or processing parties within your own undertaking
  • Assessing inventory-related measures to ascertain what data attributes are to be transferred to third parties in connection with change the bank (CTB) and run the bank (RTB) activities
  • Legal advice on defining or redefining contractual agreements between the parties involved in developing a framework for data transfer within the group
  • Checking existing contracts with third parties and identifying personal data transferred to third parties, including specifying the purpose of the processing and transfer
  • Legal advice to companies evaluating their repapering, or defining or redefining contractual agreements between the parties involved
  • Drawing up documents and guidelines for intragroup and international agreements on data transfer

Governance, guidelines and control frameworks


  • Data protection impact assessment *
  • Record of processing activities *
  • Lead supervisory authority *
  • Data protection officer *
  • Technical and organisational measures geared to personal data security

Our services:

  • Defining the requisite measures in connections with governance, guidelines and control frameworks
  • Drawing up documents and guidelines on
    • internal data protection and governance architectures
    • data protection within the undertaking, for example on the use of emails and the internet at the workplace, and the storage and archiving of data
    • data protection measures for websites and e-commerce
    • declarations of consent to data processing
    • data processing agreements, particularly in connection with outsourced projects
    • joint controller agreements, particularly in connection with shared platforms and cloud-based solutions (e.g. cloud computing, Internet of Things)

Personal data breaches


  • Notification to supervisory authorities *
  • Notification to data subjects *

Our services:

  • Sorting out existing personal data breaches and security frameworks
  • Advising the legal and IT teams on implementing a triage and notification process for personal data breaches
  • Drawing up an overview of existing security structures and making sure appropriate technical and organisational measures are in place to encrypt data in the event of unauthorised access
  • Advice on designing and implementing notification requirements for personal data breaches or losses (e.g. notification of GDPR breaches) to the supervisory authorities and/or data subjects

Contact us

Patrick Akiki

Partner, Financial Services Market Lead, Zürich, PwC Switzerland

+41 58 792 25 19


Philipp Rosenauer

Partner Legal, PwC Switzerland

+41 58 792 18 56


Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

+41 58 792 42 21