On May 25, 2018, the new EU General Data Protection Regulation (“GDPR”) will come into force. It will govern data collection and storage practices throughout the European Union. According to the principle of “lex loci solutionis” (literally: “the law of the place of performance”), Swiss website operators who process personal data may also be subject to the new regulation.
As infringement can be penalized with steep fines, the GDPR has caused quite a stir in boardrooms and in the media. It is unlikely that the EU data protection authorities will rush to impose harsh fines on Swiss companies, but failure to adapt to the new requirements may well have inconvenient consequences, such as warnings or requests from authorities (e.g. for compliance with a request for erasure). Separately to the GDPR, the Swiss Data Protection Act is currently being revised, too. It will probably introduce comparable rules within the next two years.
The responsible processing of personal data is crucial if you want to maintain the trust of your website users. Regardless of the applicability of the GDPR to individual cases, you should take their privacy and data security seriously.
Does this affect me?
All website operators need to answer that question for themselves. But we can offer you a few indicators to help you work it out. The regulation is based on the principle of “lex loci solutionis”, so whether the operator of a website is based in the EU or not is irrelevant. In an online context, the place of performance is where visitors view your website. This could be from a smartphone at Frankfurt Airport, from a laptop on the TGV from Paris to Zurich – and so on.
The GDPR especially applies if Swiss providers target customers in the EU or analyze the usage pattern of EU-based customers. Simple (passive) accessibility of a website to EU clients does not necessarily fall within the scope of the GDPR. Another common misunderstanding is the assumption that the GDPR automatically applies to people who are from the EU.
Indicators for the applicability of the GDPR include product prices stated in multiple currencies (e.g. CHF and EUR), directions for reaching a company from abroad, information about international shipping fees and the provision of a phone number with an international calling code. The regulations are relatively vague about such situations, and there are no precedents yet that could help clarify the legal situation.
If you are not sure, we recommend assuming that the GDPR applies to you for the time being and taking corresponding measures.
What do I need to do?
If the GDPR applies to you, you are only allowed to process personal data if you have justification. The GDPR specifies six lawful grounds for processing personal data. User consent is the most frequently used and the most intensely discussed.
Obtaining legally valid consent in accordance with the requirements of the GDPR is not easy, however. Consent is only valid if it is informed, freely given, explicit (with regard to one or multiple specific purposes) and revocable at any time. Many users are overwhelmed by the sheer amount of information presented to them and simply disregard it. But many people forget that legitimate (business) interest constitutes a lawful basis for processing, too. Your own interests must be carefully weighed against those of your users, however. For most cases in which personal data is used for commercial purposes, legitimate interest is likely to be a better justification than consent. Other lawful grounds for processing personal data are contractual necessity, legal obligation and the protection of the vital interests of a third party.
Regardless of your justification, you may only collect and process data that is required and justified to accomplish your objective. In case of an online shop, for instance, this could be the shipping address and date of birth of your customers. Religious affiliation, on the other hand, is not relevant for the purchase of a bottle of wine. Requesting or storing this information is not justified under the GDPR.
As soon as you have an overview of the type of data you process and the way in which you process it, you need to document this information (record of processing activities). You must be able to produce this document in case of an audit.
Any person whose data you collect is entitled to request access to their processed data and its purpose, unless your own higher interests prevent such disclosure.
If multiple people have access to the data (e.g. the webmaster, employees, external partners, etc.), they are also obliged to document and prove their justification for working with this data.
Protective measures (virus protection, data storage, prevention of third-party access etc.) must also be justified and documented.
As a rule of thumb, responsibility for compliance with the regulatory requirements always lies with the person who collects and processes personal data. In most cases, this is the website operator processing the data of their website visitors and customers.
Contracts for commissioned processing
Nearly all online platforms commission certain data processing services from third parties. As a hosting service provider, we store our clients’ data (personal and otherwise). Responsibility for the lawful collection and processing of personal data remains with our clients, however. Hostpoint is defined as a processor and as such, we support our clients in meeting their obligations. The GDPR stipulates that mutual responsibilities must be agreed upon in writing. After the GDPR comes into force, clients will need to enter into a contract for commissioned processing (CP contract) with Hostpoint. This contract is available from our Control Panel, regardless of whether or not there is a legal obligation to conclude such a contract. You can view the contract in your control panel under Admin > Contracts.
Can Hostpoint provide me with legal support?
As an internet service provider, Hostpoint cannot offer binding legal advice. We do our best to keep you, our client, informed and provide you with help to the best of our ability. This is not a substitute for consultation with a qualified legal adviser.
I would like detailed information
The internet is awash with articles detailing the content of the GDPR and providing different assessments and interpretations of its effects. When you do your own research, keep in mind that the legal situation is still very uncertain, with no indications about the actual interpretation and judicial implementation of the regulation to date.
This uncertainty aside, we suggest the following links:
Original text of the GDPR: https://gdpr-info.eu
Statement from the Swiss Federal Data Protection and Information Commissioner (in German): https://www.edoeb.admin.ch/edoeb/de/home/dokumentation/rechtliche-grundlagen/Datenschutz%20-%20International/DSGVO.html
This blog post was written on the basis of current insights and literature. Expert opinion still differs widely. There are no definite answers to many questions about the GDPR, and Switzerland will also soon be subject to the revised Data Protection Act. We assume no liability for the correctness and completeness of the information provided. Every website operator must deal with this topic individually; many will need to consult a legal expert.