The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to include personal data of EU citizens that are transferred to third countries. For Swiss SMEs, this can already be the case when processing payments via international service providers or when using cloud services.
The reason for this judgment was the legal dispute between Maximilian Schrems, a law student in Austria, with the Irish supervisory authority due to the transmission of personal data by Facebook without the consent of the Irish citizens concerned to the parent company in the USA. A suspension of data transfers by authorities is now possible due to the judgment. The fine for Facebook remains to be seen.
The key message:
The international transmission of personal data also includes credit card data, e.g. from the online shop, but in particular also data in the cloud if the provider is based in the USA or in another third country.
The ECJ does not rule for Switzerland. But, for export-oriented companies in Switzerland, as it did before Safe Harbor, this means that they have to identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers are checked for a data security level equivalent to that of the EU, but also whether data access can take place in data centers and the data transfers within the entire Supply Chain.
It must be determined whether data transfers are only based on the Privacy Shield or the SSC or whether another legal reason applies. The risk is the suspension of the data transfer, but also a fine from the supervisory authority of max. CHF 250,000, which is addressed to the CEO and an entry in the criminal record that cannot be deleted for 20 years..
After Great Britain (UK) leaves the EU, the transition phase ends on December 31, 2020. In this article you will find out what to watch out for during and especially after the transition phase and how to prepare.
When is Brexit relevant for a Swiss SME?
Affected groups of people:
If the UK becomes a third country that is unsafe under data protection law, there is a risk of data protection violations in these cases after the transition phase. According to the GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not simply be transferred to these countries.
If the EU Commission declares the UK to be a third country that is safe under data protection law, such as Switzerland, the adequacy decision would have to be made at record speed. If that doesn’t happen, you have to take care of the level of data protection yourself.
UK is cut off from the EU in terms of data protection law without an adequacy decision and must be treated like Russia, China … But even then there are ways to securely regulate data transfers and cooperation with British companies under data protection law, such as through
We recommend checking data processing processes, data protection declarations, consents and information procedures with regard to the transmission of personal data. Be prepared that the UK may lose its secure level of data protection.
The EU-GDPR not only provides the occasion but also the necessary support to reflect on new principles in terms of data security in order to make business future-proof in a digitized world. The GDPR is already recognized as “best practice” in many companies and is one of the most essential requirements for user confidence in the Internet – in conjunction with the introduction of innovative Internet-based services in a global economy, this supports economic growth.
Implement GDPR compliance in your company. It is your competitive advantage over your competitors.
The GDPR is anchored in the Swiss GDPR. On September 24, 2020, the National Council also approved the long controversial stricter profiling rules (of the SR) and thus prevented the proposal from crashing. The compromise proposal for the profiling rules that has now been adopted means that a distinction is made between “normal” profiling and profiling with “high risk”. For the latter, the data subject’s express consent is required.
The present draft law aims to strengthen data protection – how?
The judgment of the ECJ of October 1, 2019 in the case C-673/17 (Planet49) states the following and means for you:
(Guideline-compliant interpretation of Section 15 (1) TMG and Section 15 (3) TMG (BGH judgment of May 16, 2017, Az .: VI ZR 135/13 or BGH resolution of October 5, 2017 I ZR 7/16)
Stress in the workplace due to insufficient resources and negligence are the greatest risk factor. «… .88% of the participants recognize that digitization is associated with additional cyber risks and that in addition to the visible opportunities, the invisible dangers are also growing. According to bsi.bund.de, only 29% of the institutions surveyed see cyber security and data protection as a competitive advantage … »
An example: after a local control room of the company went down, it became clear that the computers were infected with ransomware. The trigger was the “smart” coffee machine, connected to the Internet, which independently ordered reorders. The coffee maker was not only connected to an isolated Wi-Fi network, but also to the local control room network. The endpoint security, network segmentation and application network communication control were missing.
“Best practice” for the systematic identification of risks is the neutral risk assessment that ensures systematics and objectivity. The result is an overview of the hazard potential and a risk assessment for preventive measures:
A future-oriented data policy of trust for progress and innovation is a quality feature. It has a positive influence on the success of the company and leads to higher employee satisfaction.
Our online test is your orientation aid in the implementation of the GDPR. Arrange a non-binding appointment with us.