General Data Protection Regulation (GDPR) involves Switzerland
The General Data Protection Regulation (GDPR), which will apply to all EU member states from May 2018, also affects Switzerland. It places new data protection requirements on compliance officers. Nevertheless, a data protection officer is not immediately required in every company.
The General Data Protection Regulation will usher in a new era of European data protection laws in May next year. The GDPR applies to all member states of the European Union (including the United Kingdom). The contents of the EU General Data Protection Regulation (EU GDPR) replace the old Data Protection Act of 1995.
The primary goal was to protect the rights and privacy of internet users in the 28 EU countries. At the same time, however, regulatory limits were to be set for the "data monsters" - Google, Facebook, Amazon and the like - in the EU area.
To date, there has been much discussion about penalties and sanctions for violations, including up to 20 million euros or four percent of a company's annual global turnover, which even a negligent SME in Switzerland would have to fork over from 2018.
In the past, the role of the data protection officer was largely undefined. This is because the European data protection law that currently still exists stems from an EU directive from 1995. "Data protection roles and tasks were not yet taken into account to the extent that the GDPR requires today," explains Katja Böttcher*, Legal & Compliance Project Manager. The lawyer, who specialises in white-collar crime, has been coordinating large legal and compliance projects for years.
New instances?
Only about twelve years ago, data protection was exclusively practiced in a "computing context". The first people to be given the informal title of Data Protection Officer (DPO) usually had an IT background. They were the ones who could understand, identify and "protect" the flow of computerized data. Today, in an age where technology so dominates our lives, the role and task of a DPO has changed significantly.
"If the role of a compliance officer is considered in general and independently of the new EU Data Protection Directive, this function has taken on clear contours over the course of the last few years," explains Katja Böttcher.
The new revision is not only about data security or the view on IT, but also about competences in the areas of labour law and much more. "Overall, however, the task can certainly be described as very complex, particularly with regard to international data protection. Its management will increasingly lead into the hands of specialized compliance responsibilities," says the Swiss lawyer.
In order to comply with the European directives, the GDPR formulates the role of a DPO and also obliges their use in companies and organizations. Generally speaking, all companies and public institutions would have to obtain a DPO in order to comply with freedom of information or human rights in general.
"However, this is highly variable, depending on the size, industry and area of activity of a company," underlines Katja Böttcher, compliance expert.
Different responsibilities
Until now, the head of a small business or administrative bodies have always been liable for breaches of the duty of care. Recently, there has also been talk of third "de facto bodies" such as outsourced controllers or IT or data security officers, who are to be held strictly liable. Do Swiss SMEs now have to expect stricter consequences under criminal law?
"The responsible bodies or functions have the task of countering corporate risks in the best possible way, minimising the liability risk for the company and ultimately for the persons acting," explains the lawyer. She puts this into perspective: "A data officer is certainly necessary where a data protection breach or data security has been classified as a relevant corporate risk. A locally active SME that serves as a supplier of spare parts probably doesn't need a special data officer, whereas a provider of a business database does."
Accountants without a management function or corresponding responsibility can, at most, breach their duty of care under employment law if they do not adhere to the specified work processes, regulations or direct instructions. The same applies, of course, to the IT employees involved (liability for management: Art. 754 OR, employee liability: Art. 321e OR).
A DPO should therefore never be seen as the "sole authority" for data protection within an organization. The DPO must help a company or an organization to practice data protection across the board and to comply with legal obligations - also with regard to respecting the privacy of employees.
Legal guidelines
Under the GDPR, could smaller, public organizations - for example, municipalities or state schools - also be under a legal obligation to pay a DPO? Typically, Swiss municipalities and even schools do not collect and process data covered by the GDPR. Swiss public institutions are already subject to strict data protection guidelines and are supervised by the federal or cantonal data protection officer.
In this respect, the European directive is only mandatory for those organisations whose core activities involve "regular and systematic monitoring of data on a large scale" or whose activities involve the processing of particularly sensitive data - for example, data relating to ethnic origin, religious beliefs, health, sex life or criminal convictions.
The GDPR has an impact on Switzerland and is applicable to those companies that collect and process customer and personal data from the EU area, respectively that are accessible from the EU (e.g. homepage that creates non-anonymized evaluations of visitors). These companies must comply with the guidelines and may have to appoint a DPO.
Certain and partly helpful guidelines have been produced by the Article 29 Working Party, a group of representatives of data protection authorities across the EU. The GDPR describes structures (qualities and duties) of a DPO. Among other things, the following qualifications are required:
- Possibility of "independent" action.
- Independence from instructions of the employer.
- Knowledge of data protection law.
- Sufficient resources to accomplish the tasks.
- Report directly to the highest level of management.
According to Article 29 of the Guidelines, in addition to the qualification, a DPO must not evoke a conflict of interest. However, some company positions are incompatible with DPO duties, including for example the CEO, CFO, but also marketing managers, HR or IT officers.
Other reasonable guiding principles explain, for example, that critical "core activities" do not involve the processing of personnel information within an HR department - any contrary view would result in every company or operating department needing a DPO.
Further information on the revision of the Data Protection Act:
*Katja Böttcher joined LALIVE in 2015 as Legal Project Manager and is responsible for the coordination of large legal and compliance projects of the firm. She has many years of experience in the field of international criminal investigations and forensic investigations. Prior to joining LALIVE, she worked as a commissariat manager at the Swiss Federal Criminal Police and headed a financial investigation commissariat in the Zurich branch.Data Protection Officer or Representative?
The privacy policy
The stricter EU data protection directives are another task that must be taken into account by the relevant compliance functions. For companies that are not established in the European Union, but to which the EU GDPR applies as a result of the orientation of their activities, there is generally an obligation to appoint a data protection representative.
However, in view of the already existing strict Swiss data protection guidelines (DSG), the change should not be fundamental. Depending on the company, there may not be a need for a specialised data protection officer; however, companies would do well to appoint a data protection representative. The main function of the data protection representative is to provide the supervisory authorities with de facto access to the data processor within the EU. (mm)