👉 Book an appointment
The ECJ ruling Schrems II or the end of the Privacy Shield

European General Data Protection Regulation: new legal situation for Swiss exporters

The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to personal data of EU citizens that is transferred to third countries. This can be the case for Swiss SMEs even when processing payments via international service providers or using cloud services.

The reason for this ruling was the legal dispute between Maximilian Schrems, a law student in Austria, and the Irish supervisory authority regarding the transfer of personal data by Facebook without the consent of the Irish citizens concerned to the parent company in the USA. A suspension of data transfers by authorities is possible with immediate effect due to the ruling. The fine for Facebook remains to be seen.

The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to personal data of EU citizens that is transferred to third countries. This can be the case for Swiss SMEs even when processing payments via international service providers or using cloud services.

The core statement:

  • The GDPR applies in the USA and in a third country where personal data is accessed by the intelligence services of that country for reasons of national security or defense. According to the GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not be transferred to these countries without further ado. This could also include the UK on 1.1.2021.
  • The US Privacy Shield (comparable to the EU Commission’s adequacy decision on an EU-adequate level of data protection) is invalid with immediate effect.
  • The so-called Standard Security Clauses (SSC) are still valid, but possibly only with additional security measures. An individual case review by the data importer/exporter must determine whether a level of data protection equivalent to that of the EU exists in the target country.

The international transfer of personal data includes, among other things, credit card data, e.g. from the online shop, but especially data in the cloud, provided that the provider is based in the USA or another third country.

The ECJ does not decide for Switzerland. However, for export-oriented companies in Switzerland, as was the case before Safe Harbor, this means that they must identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers must be checked for a data security level equivalent to that of the EU, but also whether data access to data centers can take place and the data transfers within the entire supply chain.

It must be determined whether data transfers are based only on the Privacy Shield or the SSC or whether another legal basis applies. The risk is the suspension of the data transfer, but also a fine from the supervisory authority of max. CHF 250,000, which is addressed to the CEO, and a criminal record entry that cannot be deleted for 20 years. That doesn’t have to be the case – we support you! Call us on T. 079 348 55 63.