GDPR for Swiss-based Companies: Six myth-busting facts

Susanne Hofmann Data Protection Officer, PwC Switzerland and Liechtenstein 05 Mar 2019

A year ago, the EU General Data Protection Regulation (GDPR) entered into force. For many Swiss-based companies, GDPR compliance became a dominant issue on their corporate agenda. It is time to address some of the most notorious myths that have spread and are still widely propagated.

My company is only Swiss-based, does it have to comply with GDPR? Alas, there is no simple answer to this. Instead ask yourself: When do I not have to bother about GDPR? This post touches upon many myths regarding the application of GDPR that materialised during the course of the GDPR-frenzy. We will debunk the six most notorious ones now.

  1. I trade with companies in the EU/EEA: Offering goods or services to companies (i.e. legal entities) in the EU/EEA does not trigger GDPR application. But be aware if you deal with end customers.
  2. End customers from the EU/EEA automatically trigger GDPR: This is only the case if you actively target end customers in the EU/EEA or if you monitor their behaviour. Each business is different and may necessitate a case-by-case assessment. If your company/SME is catering only for end customers in Switzerland, it is unlikely that you will be subject to GDPR.
  3. I employ people from the EU/EEA: Your employees working in Switzerland, regardless of their citizenship or place of residence, do not trigger GDPR application.
  4. GDPR will “infect” my entire company: If you target EU end customers, you have to comply with GDPR. However, this only triggers GDPR duties relevant for that particular activity. It is unlikely to “infect” your overall company, such as HR or the treatment of your Swiss customers (if not required by operational reasons, such as commonly used tools or systems.
  5. GDPR applies; do I have to appoint a DPO? Not all companies have to appoint a DPO. This requirement is triggered only on a case-by-case basis, e.g. processing special categories of personal data on a large scale or unless national legislation provides for it.
  6. Cantonal institutions have to comply with GDPR: Given that cantonal institutions and organisations such as public hospitals may be subject to specific cantonal legislation, the scope of GDPR compliance requires a thorough legal assessment.

Regardless of GDPR applicability, the Swiss Federal Data Protection Act (FDPA) always applies to Swiss-based companies. Currently, the FDPA is under revision. We expect regulatory convergence towards data protection duties similar to the GDPR. Therefore, quoting a famous American Author: “The best preparation for tomorrow is doing your best today.”

Need assistance or want to learn more on data protection? Contact us, PwC Legal’s data protection team. We are ready to answer your questions and support you!

 

Contact us

Susanne Hofmann

Susanne Hofmann

Data Protection Officer, PwC Switzerland and Liechtenstein

Tel: +41 58 792 17 12