A lot of consultants have pointed to the fact that businesses can be fined up to 20 million euros, or 4% of the annual global turnover of the prior financial year (whichever is higher) for infringements of data subject rights under the General Data Protection Regulation (GDPR). However, the GDPR is not directly applicable in Switzerland. Instead, at least for the time being, the less ominous Swiss Federal Data Protection Act (FDPA) of 1992 applies. So, what is the actual risk that EU Member State supervisory authorities come knocking on your Swiss business’s door with a fine anyway, and what can you do to avoid that? In this blog article we provide you with (1) an overview when GDPR applies to your business in Switzerland, (2) what the actual enforcement risk is, and (3) some tips to mitigate your business’s risk exposure.
GDPR – the criterion of establishment
First, you need to self-check your business on the basis of the criterion of ‘establishment’ of Art. 3 (1) GDPR.
This contains the following cases: the processing of personal data in the context of the activities of an EU-branch or subsidiary of a Swiss company; or the processing of personal data by a Swiss company acting as processor on behalf of a European company.
So, if you have given in to the temptation of outsourcing the processing of personal data to a cheaper processor in Germany or Italy, the processor company will be subject to the GDPR regardless of whether the personal data pertains to EU or Swiss data subjects. In the event of a breach by the foreign processor, his responsibility will likely be engaged.
GDPR – the criterion of targeting
Second, you should think about whether you could be considered as ‘targeting’ EU data subjects for the provision of goods or services in the sense of Art. 3 (2) GDPR.
The GDPR does not include a precise definition of what “offering goods and services” entails. Recital 23 specifies that it should be determined whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the EU.
In order to ascertain this objective, a number of factors are taken into account, including “the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union”.
This means that your website can have a version in German, French, or Italian, as these are official languages of Switzerland, without creating any implications with the GDPR. However, an e.g. Dutch, Portuguese, Swedish or Spanish version could indicate your intention of doing business in the EU (English is generally considered not to trigger the marketing criterion by itself). Same goes for the indication of product prices in euros in your online shop.
In a different context (cases C-585/08 and C-144/09), the Court of Justice of the European Union has identified factors signifying whether the offering of goods and services can be considered as being directed at a particular EU Member State.
Indications such as the mention of your telephone number with an international dialling code on your website, the description of the route from a Member State to your business venue (e.g. “How to get to our resort from Germany”) can signify your intention of targeting EU data subjects. The mere accessibility of your website or email address in the EU is insufficient to ascertain such intention, but domain names ending in an EU country top-level domain such as .fr, .it or .nl are strong indications.
Notably, the EU authorities’ reach is limited in Switzerland, and so far, we are not aware of any actions against Swiss companies. Also, it is important to note that the maximum fines are for the Facebooks and Googles of this world, and will never reach such heights for the average company that has a wrong website disclaimer.
The large fines have definitely put data protection in the minds of entrepreneurs and business leaders, and while high fines for the average Swiss business are very unlikely, basic data protection compliance can be implemented quite easily and has become an important reputational factor. To make compliance easy to implement, we have developed a LEXR standard data protection compliance package – we are happy to tell you more if you provide your contact details (and consent that we may use such details for sending the respective information).