The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court ruling now extends the scope to include personal data of EU citizens that are transferred to third countries. For Swiss SMEs, this can already be the case when processing payments via international service providers or when using cloud services.
The reason for this judgment was the legal dispute between Maximilian Schrems, a law student in Austria, with the Irish supervisory authority due to the transmission of personal data by Facebook without the consent of the Irish citizens concerned to the parent company in the USA. A suspension of data transfers by authorities is now possible due to the judgment. The fine for Facebook remains to be seen.
The key message:
- The GDPR applies in the USA and in a third country in which, for reasons of national security or defense, personal data is accessed by the secret services of that country. According to the GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not simply be transferred to these countries. This could also include the UK on 1.1.2021.
- The US Privacy Shield (comparable to the EU Commission’s adequacy decision on an EU-adequate level of data protection) is invalid with immediate effect.
- The so-called Standard Security Clauses (SSC) are still valid, but only with additional security measures. In an individual examination by the data importer / exporter, it must be checked whether the target country has a data protection level equivalent to that of the EU.
The international transmission of personal data also includes credit card data, e.g. from the online shop, but in particular also data in the cloud if the provider is based in the USA or in another third country.
The ECJ does not rule for Switzerland. But, for export-oriented companies in Switzerland, as it did before Safe Harbor, this means that they have to identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers are checked for a data security level equivalent to that of the EU, but also whether data access can take place in data centers and the data transfers within the entire Supply Chain.
It must be determined whether data transfers are only based on the Privacy Shield or the SSC or whether another legal reason applies. The risk is the suspension of the data transfer, but also a fine from the supervisory authority of max. CHF 250,000, which is addressed to the CEO and an entry in the criminal record that cannot be deleted for 20 years..