Blog EN

European General Data Protection Regulation: New legal situation for Swiss exporters

European General Data Protection Regulation: new legal situation for Swiss exporters

The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to include personal data of EU citizens that are transferred to third countries. For Swiss SMEs, this can already be the case when processing payments via international service providers or when using cloud services.

Blog EN

What to pay attention to when it comes to data protection against the backdrop of an unregulated Brexit?

What to pay attention to when it comes to data protection against the backdrop of an unregulated Brexit?

Brexit und die Auswirkungen im Datenschutzgesetz

After the United Kingdom (UK) leaves the EU, the transition period ends on December 31, 2020. This article draws the attention to during and especially after the transition period and the subjects to be prepared – only in case if UK might slip into the status of a “third country” that does not comply with the European level of data protection. When is the subject relevant for a Swiss SME?

  • You have a branch office in the UK.
  • Use service providers from the UK to perform your services (goods suppliers).
  • You use UK-based cloud/SaaS services, online marketing tools.

Affected groups of people:

  • Your customers.
  • Users of your online services or website visitors.
  • Employees or applicants to online application services.

If the UK becomes a third country that is insecure in terms of data protection law, the above-mentioned conditions will be at risk of data protection breaches after the transition phase. According to GDPR, all countries outside the EU and the EEA are so-called „third countries“, i.e. personal data may not be transferred to these countries without further ado.

If the EU Commission declares the UK to be a safe third country under data protection law, such as Switzerland, the adequacy decision would have to be made at record speed. If this does not happen, you have to take care of the data protection level yourself.

UK will be cut off from EU in terms of data protection without adequacy decision and will have to be treated like Russia, China…. But even then, there are ways to securely regulate data transfers and cooperation with UK companies under data protection law, such as through

  • Contractually required data transfers
  • Consents from data subjects
  • Other guarantees (Binding Corporate Rules…)

We recommend reviewing data processing procedures, privacy statements, consents and access procedures regarding transfers of personal data. Be prepared that UK may lose its secure level of data protection.

Blog EN

Data Protection Act – total revision and amendments to further data protection decrees

Data Protection Act - Total Revision and amendments to further data protection decrees

Verschlüsselung im Datentransfer.


The GDPR will be enshrined in the Swiss DPA. On September 24, 2020, the National Council also approved the long-controversial stricter profiling rules (of the SR), thus preventing the bill from crashing. The compromise proposal now adopted on the profiling rules means that a distinction will be made between „normal“ profiling and „high risk“ profiling. For the latter, explicit consent of the data subjects is required.

The present draft law aims to strengthen data protection – and how?

  • Improving transparency in data processing, control options for data subjects
  • Increasing the sense of responsibility, e.g., by requiring compliance with data protection regulations to be taken into account as early as the planning stage of new data processing systems. Training of employees should also increase awareness of the dangers of cyber-attacks.
  • Facilitating the international transfer of data
  • Promotion and development of new economic sectors in the area of digitalization.
  • Supervision of compliance with data protection standards by the SWISS DPO.

The GDPR provides not only the occasion but also the necessary support to reflect on new principles in terms of data security in order to future-proof business in a digitalized world. The GDPR is already recognized as „best practice“ in many companies and is one of the most essential prerequisites for users trust in the Internet – in combination with the introduction of innovative Internet-based services in a global economy, this supports economic growth. Implement GDPR compliance in your business. It is your competitive advantage and a quality feature too!

Blog EN

The cookie ruling and its consequences

The European Court of Justice: no cookie storage without active consent of the internet user

Cookies - einwilligen oder nicht?

The user does not effectively consent to the storage of cookies if the user of the web page uses a checkbox with a pre-set check mark. The permission to set cookies rather requires the active consent of the Internet user, the Court of Justice of the European Union stated in a judgment of October 1, 2019 (Case No. C-673/17). If the storage/collection of information from cookies is based on consent, a pre-set checkbox does not constitute effective consent.

Acceptance of cookies must not be preset

The Court of Justice has ruled that the consent required for the storage and retrieval of cookies on the device of the visitor to a website is not effectively given by a pre-set checkbox which the user must deselect in order to refuse his consent. In this respect, it makes no difference whether the information stored or accessed on the user’s device is personal data or not. Neither an „opt-out“ nor a „soft opt-in“ (continue surfing) solution constitutes legally effective consent.

People must give their consent for any kind of data transfer, tracking ….

Union law was intended to protect users from any intrusion into their privacy, in particular, against the risk of „hidden identifiers“ or similar instruments entering their device. The consent must therefore be given for the specific case. Pressing the button to enter the competition does not yet constitute effective consent of the user to the storage of cookies. In this context, the service provider is obligated to the user to provide information regarding the function duration and the access possibility of third parties about his cookies. It makes no difference whether it is personal or anonymous data that is stored.

Blog EN

Future-oriented data policy: data protection and cybersecurity are a perfect pair …

Future-oriented data policy: data protection and cybersecurity are a perfect pair …

Schadsoftware Trojaner - datenschutzrechtliche Anforderungen

Stress in the workplace due to insufficient resources and negligence are the greatest risk factor. «… .88% of the participants recognize that digitization is associated with additional cyber risks and that in addition to the visible opportunities, the invisible dangers are also growing. According to bsi.bund.de, only 29% of the institutions surveyed see cyber security and data protection as a competitive advantage … »

An example: after a local control room of the company went down, it became clear that the computers were infected with ransomware. The trigger was the “smart” coffee machine, connected to the Internet, which independently ordered reorders. The coffee maker was not only connected to an isolated Wi-Fi network, but also to the local control room network. The endpoint security, network segmentation and application network communication control were missing.

“Best practice” for the systematic identification of risks is the neutral risk assessment that ensures systematics and objectivity. The result is an overview of the hazard potential and a risk assessment for preventive measures:

  • So that failures in digital supply chains are no longer a cause of business interruptions;
  • So that the advantages of new technologies – artificial intelligence, IoT etc. – and digitization can be used to increase efficiency.
  • So that fires, explosions and natural disasters no longer threaten IT systems, data centers and cloud services, but instead protect redundancies, fail-safety and recoverability.
  • And cybersecurity largely serves as protection for digital transformation and data protection.

Future-proof your business with a data policy of trust for progress and innovation. It’s a quality attribute. It positively influences the success of the company and leads to higher employee satisfaction.