The General Data Protection Regulation (GDPR) has been, is and will continue to be the subject of much debate.
For Swiss companies, the question arises as to how far this regulation applies to them. While many have raised the spectre of colossal sanctions in the event of non-compliance with the GDPR, it is still necessary for it to be applicable to them, which in reality is far from being as systematic as some have tried to make it seem.
Without going into the details of the text of the GDPR itself, its possible application to companies having their registered office in Switzerland is determined by Article 3, paragraph 2, which reads as follows:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour takes place within the Union. »
It is above all letter (a) that will hold our attention here. According to this provision, a company with its registered office in Switzerland thus appears to be subject to the GDPR insofar as it processes the data of natural persons in the Union, in connection with an offer of goods or services.
The European Data Protection Board (EDPB) has had the opportunity to give its opinion on the interpretation that should be given to this provision in the context of Guidelines 3/2018 adopted in their latest version on 12 November 2019. What should be retained?
A distinction is to be made as to whether or not the company has an online activity:
If the Swiss company only operates offline (i.e. without using an e-commerce website), and its activities are only offered in Switzerland, the application of the GDPR should not come into play. Two points should be made in this regard:
For many Swiss companies, the question of the application of the GDPR therefore arises above all through a possible website and the online transactions that may follow, possibly through the provision of an online service.
The decisive criterion thus consists of assessing whether the company “offers goods or services to persons in the Union” at the time of the processing.
In this context, the mere fact that a website is accessible anywhere in the world is not sufficient to be considered as an “offer“. A certain targeting of individuals in the Union, reflecting an intent to reach them, is therefore necessary.
Whether such individuals are being targeted will have to be assessed on the basis of various criteria, in particular the way the site is configured, displayed and promoted through various marketing campaigns (online or offline). Among the criteria to be considered are the following:
In the light of the above, it is clear that if a Swiss company that only operates in Switzerland outside the Internet has little to fear, a company that also intends to promote its services on the Internet will have to be careful about the way it configures its site and conducts its marketing campaigns.
The application of the GDPR obviously has many consequences for the company, which will be the subject of developments in later posts.
Among these, we will mention here the obligation to appoint a representative within the European Union (art. 27 GDPR), ideally in one of the countries whose individuals are targeted, a point too often ignored or neglected for the sake of simplification. Needless to say, this point is not the most pleasant one, since it implies finding such a representative, who will only accept to play this role in return for payment. In the absence of such representative, the company will fail to fulfil one of the obligations of any data controller, i.e. to communicate the identity of its representative in accordance with its obligation of transparency (art. 13 and 14 GDPR). Some companies now offer this service at a mode
Do you have questions about his topic?
Our lawyers benefit from their perfect understanding of Swiss and international business law. They are highly responsive and work hard to find the best legal and practical solution to their clients’ cases. They have acquired years in international experience in business law. They speak several foreign languages and have access to correspondents all over the world.
Avenue de Rumine 13
PO Box
CH – 1001 Lausanne
+41 21 711 71 00
info@wg-avocats.ch
©2024 Wilhelm Attorneys-at-Law Corp. Privacy Policy – Made by Mediago