EU General Data Protection Regulation (GDPR)
How the GDPR impacts Swiss companies

At the end of May 2018, the new General Data Protection Regulation (GDPR) entered into force in the EU. It is supposed to allow EU citizens to regain control over the usage of their data. This also impacts Swiss companies, even if they have no branches in the EU. Sunrise has compiled the most important facts.

The General Data Protection Regulation (GDPR) has been in effect in the entire European Union (EU) since May 25, 2018. Among other things, it requires companies, associations, and institutions to disclose how data is collected, processed and, if applicable, passed on and used. Thus, the core of the regulation is documenting how and why data is collected and processed in a register. Companies also must inform their customers or members about the usage of their data in a clear and simple language before collecting personal data, and they must delete data immediately upon request. Supervisory authorities must be informed immediately in the event of a data breach.

Data protection in Switzerland

All of this also impacts many Swiss companies. The EU regulation also applies, for example, if a European company contracts a Swiss company to process personal data or if a Swiss company uses data from persons who reside in the EU. This is the case, for instance, when online shops send products to EU citizens and analysis tools track user behavior on a website without the IP address of EU citizens having been anonymized.

Problems with WhatsApp and similar apps

Swiss companies that are impacted by the new EU regulation have also been required to inform people about the usage of personal data, obtain customers' and users' consent for processing this data, and create a register of processing activities, among other things, since the end of May 2018. And that is exactly where problems begin for many smaller companies: They use tools, apps, and services from third-party providers that systematically tap and further process data, for example, on servers in the USA.

The most famous example of this is Facebook's subsidiary WhatsApp, which workmen and mechanics often use to take quick pictures. The messenger service is intended for private use. People who use it for professional purposes run a considerable risk and violate the new European regulations right and left. And that is the case even if they use the service for private, not professional, purposes. If the app is installed on a company phone, all contact information in the address book is generally read. That means there must be a strict separation of private and business accounts in order to comply with the data protection ordinance.

Anyone who wants to play it safe and avoid all data protection violations should therefore forbid their employees from installing WhatsApp or other messenger services that save files and chat histories on servers in the USA on company cell phones. Employees should be every bit as careful when saving business contacts on their private mobile phones.

Do you want to play it really safe? Then take a look at our compliant Work Smart solutions

Of course, you don't have to completely go without messenger tools and the like. In the end, they unite functions like instant messaging, video conferencing, desktop sharing, team coordination, and sharing documents in a single application. Possible alternatives include Threema Work and Microsoft Teams, which are technically safeguarded via end-to-end encryption and legally compliant with European data protection legislation.

Services that are completely tailored to the needs of Swiss companies and where the telecommunications provider, such as Sunrise, assume responsibility for all consequences of the data protection ordinance are even more convenient. Sunrise has a well-versed team of data protection officers who know the pitfalls of the new ordinance and check all apps, services, and tools to make sure they are compliant. In addition, Sunrise guarantees that data collected is stored only on servers in Switzerland for all its services.

Check all contracts now

Generally, the following applies: Check all contracts now to understand where all the data and applications are saved and where data is processed. It is also a good idea to obligate solution providers to disclose all sub-providers and list all server locations where personal data is stored and processed so that information can be provided to the persons concerned at all times. By the way, Switzerland is also currently drafting a federal data protection law. Companies that have already adapted to the GDPR will likely save a considerable amount of time implementing the Swiss version when it is finished.

Further articles