EU law involves Swiss data processors

The General Data Protection Regulation will usher in a new era of European data protection laws in May next year. The GDPR applies to all member states of the European Union (including the United Kingdom). The contents of the EU General Data Protection Regulation (EU GDPR) replace the old Data Protection Act of 1995.

The primary goal was to protect the rights and privacy of internet users in the 28 EU countries. At the same time, however, regulatory limits were to be set for the "data monsters" - Google, Facebook, Amazon and the like - in the EU area.

To date, there has been much discussion about penalties and sanctions for violations, including up to 20 million euros or four percent of a company's annual global turnover, which even a negligent SME in Switzerland would have to pay from 2018.

In the past, the role of the data protection officer was largely undefined. Data protection roles and tasks were not yet taken into account to the extent that they are required by the GDPR today," explains Katja Böttcher*, Legal & Compliance Project Manager. The lawyer, who specialises in white-collar crime, has been co-ordinating large legal and compliance projects for years.

New instances?
About twelve years ago, data protection was still exclusively practiced in a "computing context". The first people to be given the informal title of Data Protection Officer (DPO) usually had an IT background. They were the ones who could understand, identify and "protect" the flow of computer-driven data. Today, at a time when technology so dominates our lives, the role and task of a DPO has changed significantly.

"If the role of a compliance officer is considered in general and independently of the EU's new data protection directive, this function has received significant contu- nents over the course of the last few years," explains Katja Böttcher.

The new revision is not only about data security or the view of IT, but also about competencies in the areas of labor law and much more. "Overall, however, the task can certainly be described as very complex, particularly with regard to international data protection. Its management will increasingly lead into the hands of specialized compliance responsibilities," says the Swiss lawyer.

"A DPO should never be seen as the sole authority on data protection."

In order to comply with the European directives, the GDPR formulates the role of a DPO and also obliges their use in companies and organisations. Generally speaking, all companies and public institutions must have a DPO in order to comply with freedom of information or human rights in general.

"However, this is highly variable, depending on the size, industry and area of activity of a company," underlines Katja Bött-cher, compliance expert.

Different responsibilities
Until now, the head of a small business or administrative bodies have always been liable for breaches of the duty of care. Recently, there has also been talk of third "de facto bodies" such as outsourced controllers or IT or data security officers, who are to be held strictly liable. Do Swiss SMEs now have to expect stricter consequences under criminal law?

"The responsible bodies or functions have the task of countering corporate risks in the best possible way, minimising the liability risk for the company and ultimately for the persons acting," explains the lawyer. She puts this into perspective: "A data officer is certainly necessary where a data protection breach or data security has been classified as a relevant corporate risk. A locally active SME that serves as a supplier of spare parts probably doesn't need a special data officer, whereas a provider of a business database does."

Accountants without a management function or corresponding responsibility can possibly breach their duty of care under employment law if they do not adhere to the specified work processes, regulations or direct instructions. The same applies, of course, to the IT employees involved (liability for management: Art. 754 OR, employee liability: Art. 321e OR).

A DPO should therefore never be seen as the "sole authority" for data protection within an organization. The DPO must help a company or an organization to provide comprehensive data protection and to comply with the legal obligations - also with regard to respecting the privacy of employees.

Legal guidelines
Under the GDPR, could smaller public organizations - for example, municipalities or state schools - also be under a legal obligation to pay a DPO? Typically, Swiss municipalities and even schools do not collect and process data covered by the GDPR. Public institutions in Switzerland are already subject to strict data protection guidelines and are supervised by the federal or cantonal data protection officer.

In this respect, the European directive is only mandatory for organisations whose core activities involve "regular and systematic monitoring of data on a large scale" or whose activities involve the processing of particularly sensitive data - for example, data relating to ethnic origin, religious beliefs, health, sexual life or criminal convictions.

The GDPR has an impact on Switzerland and is applicable to those companies that collect and process customer and personal data from the EU area, respectively that are accessible from the EU (e.g. homepage that creates non-anonymous evaluations of visitors). These companies must comply with the guidelines and may have to appoint a DPO.

Certain and partly helpful guidelines have been produced by the Article 29 Working Party, a group of representatives of data protection authorities across the EU. The GDPR describes structures (qualities and duties) of a DPO. Among other things, the following qualifications are required:

• Possibility of "independent" action.
• Independence from instructions of the employer.
• Knowledge of data protection law.
• Sufficient resources to accomplish the tasks.
• Sufficient resources to accomplish the tasks.

According to Article 29 of the Guidelines, in addition to the qualification, a DPO must not evoke a conflict of interest.

However, some company positions are not compatible with DPO tasks, including for example the CEO, CFO, but also marketing managers, HR or IT representatives.

Other reasonable guiding principles explain, for example, that critical "core activities" do not involve the processing of personnel information within a human resources department - any contrary view would lead to every company or operating department needing a DPO.