The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to include personal data of EU citizens that are transferred to third countries. For Swiss SMEs, this can already be the case when processing payments via international service providers or when using cloud services.

The reason for this judgment was the legal dispute between Maximilian Schrems, a law student in Austria, with the Irish supervisory authority due to the transmission of personal data by Facebook without the consent of the Irish citizens concerned to the parent company in the USA. A suspension of data transfers by authorities is now possible due to the judgment. The fine for Facebook remains to be seen.

The key message:

• The GDPR applies in the USA and in a third country in which, for reasons of national security or defense, personal data is accessed by the secret services of that country. According to the GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not simply be transferred to these countries. This could also include the UK on 1.1.2021.
• The US Privacy Shield (comparable to the EU Commission’s adequacy decision on an EU-adequate level of data protection) is invalid with immediate effect.
• The so-called Standard Security Clauses (SSC) are still valid, but only with additional security measures. In an individual examination by the data importer / exporter, it must be checked whether the target country has a data protection level equivalent to that of the EU.

The international transmission of personal data also includes credit card data, e.g. from the online shop, but in particular also data in the cloud if the provider is based in the USA or in another third country.

The ECJ does not rule for Switzerland. But, for export-oriented companies in Switzerland, as it did before Safe Harbor, this means that they have to identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers are checked for a data security level equivalent to that of the EU, but also whether data access can take place in data centers and the data transfers within the entire Supply Chain.

It must be determined whether data transfers are only based on the Privacy Shield or the SSC or whether another legal reason applies. The risk is the suspension of the data transfer, but also a fine from the supervisory authority of max. CHF 250,000, which is addressed to the CEO and an entry in the criminal record that cannot be deleted for 20 years..

After Great Britain (UK) leaves the EU, the transition phase ends on December 31, 2020. In this article you will find out what to watch out for during and especially after the transition phase and how to prepare.

When is Brexit relevant for a Swiss SME?

• You have an office in the UK.
• Use UK service providers to perform their services (goods suppliers).
• You use UK based cloud / SaaS services, online marketing tools.

Affected groups of people:

• Your customers.
• Users of your online services or website visitors.
• Employees or applicants for online application services.

If the UK becomes a third country that is unsafe under data protection law, there is a risk of data protection violations in these cases after the transition phase. According to the GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not simply be transferred to these countries.

If the EU Commission declares the UK to be a third country that is safe under data protection law, such as Switzerland, the adequacy decision would have to be made at record speed. If that doesn’t happen, you have to take care of the level of data protection yourself.

UK is cut off from the EU in terms of data protection law without an adequacy decision and must be treated like Russia, China … But even then there are ways to securely regulate data transfers and cooperation with British companies under data protection law, such as through

• Contractually required data transfers
• Consent from data subjects
• Other guarantees (binding corporate rules …)

We recommend checking data processing processes, data protection declarations, consents and information procedures with regard to the transmission of personal data. Be prepared that the UK may lose its secure level of data protection.

The EU-GDPR not only provides the occasion but also the necessary support to reflect on new principles in terms of data security in order to make business future-proof in a digitized world. The GDPR is already recognized as “best practice” in many companies and is one of the most essential requirements for user confidence in the Internet – in conjunction with the introduction of innovative Internet-based services in a global economy, this supports economic growth.

Implement GDPR compliance in your company. It is your competitive advantage over your competitors.

The GDPR is anchored in the Swiss GDPR. On September 24, 2020, the National Council also approved the long controversial stricter profiling rules (of the SR) and thus prevented the proposal from crashing. The compromise proposal for the profiling rules that has now been adopted means that a distinction is made between “normal” profiling and profiling with “high risk”. For the latter, the data subject’s express consent is required.

The present draft law aims to strengthen data protection – how?

• Improvement of the transparency in data processing, control options for the data subjects
• Increasing the sense of responsibility, e.g. through the obligation to start planning new ones Data processing systems to consider compliance with data protection regulations. Training courses for employees are also intended to raise awareness of the dangers of cyber attacks.
• Facilitation of international data transfer.
• Promotion and development of new economic sectors in the field of digitization.
• Supervision of compliance with data protection standards by the FDPIC.

The judgment of the ECJ of October 1, 2019 in the case C-673/17 (Planet49) states the following and means for you:

• If information from cookies is stored / collected on the basis of consent, a preset checkbox does not represent effective consent.
• An opt-out solution therefore does not constitute effective consent.
• A soft opt-in (“continue surfing”) does not constitute effective consent.
• It makes no difference whether it is personal or anonymized data (which are stored / collected).
• The consent must be given for the specific case.
• Service providers must, among other things, ask the user about cookies. Provide information on the purposes, duration of function and accessibility of third parties.

(Guideline-compliant interpretation of Section 15 (1) TMG and Section 15 (3) TMG (BGH judgment of May 16, 2017, Az .: VI ZR 135/13 or BGH resolution of October 5, 2017 I ZR 7/16)

Stress in the workplace due to insufficient resources and negligence are the greatest risk factor. «… .88% of the participants recognize that digitization is associated with additional cyber risks and that in addition to the visible opportunities, the invisible dangers are also growing. According to bsi.bund.de, only 29% of the institutions surveyed see cyber security and data protection as a competitive advantage … »

An example: after a local control room of the company went down, it became clear that the computers were infected with ransomware. The trigger was the “smart” coffee machine, connected to the Internet, which independently ordered reorders. The coffee maker was not only connected to an isolated Wi-Fi network, but also to the local control room network. The endpoint security, network segmentation and application network communication control were missing.

“Best practice” for the systematic identification of risks is the neutral risk assessment that ensures systematics and objectivity. The result is an overview of the hazard potential and a risk assessment for preventive measures:

• So that failures in digital supply chains are no longer a cause of business interruptions;
• So that the advantages of new technologies – artificial intelligence, IoT etc. – and digitization can be used to increase efficiency.
• So that fires, explosions and natural disasters no longer threaten IT systems, data centers and cloud services, but instead protect redundancies, fail-safety and recoverability.
• And cybersecurity largely serves as protection for digital transformation and data protection.

A future-oriented data policy of trust for progress and innovation is a quality feature. It has a positive influence on the success of the company and leads to higher employee satisfaction.