The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to include personal data of EU citizens that are transferred to third countries. For Swiss SMEs, this can already be the case when processing payments via international service providers or when using cloud services.
The reason for this judgment was the legal dispute between Maximilian Schrems, a law student in Austria, with the Irish supervisory authority due to the transmission of personal data by Facebook without the consent of the Irish citizens concerned to the parent company in the USA. A suspension of data transfers by authorities is now possible due to the judgment. The fine for Facebook remains to be seen.
The key message:
The international transmission of personal data also includes credit card data, e.g. from the online shop, but in particular also data in the cloud if the provider is based in the USA or in another third country.
The European Court of Justice does not rule for Switzerland. But, for export-oriented companies in Switzerland, as it did before Safe Harbor, this means that they have to identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers are checked for a data security level equivalent to that of the EU, but also whether data access can take place in data centers and the data transfers within the entire Supply Chain.
It must be determined whether data transfers are only based on the Privacy Shield or the SSC or whether another legal reason applies. The risk is the suspension of the data transfer, but also a fine from the supervisory authority of max. CHF 250’000 which is addressed to the CEO and an entry in the criminal record that cannot be deleted for 20 years. You can avoid it. Please contact us for any further questions.