GDPR, Swiss DPA & ePrivacy – what Swiss companies should know.

GDPR, Swiss DPA & ePrivacy – what Swiss companies should know

SwissDPA, GDPR, ePrivacy and more…

As experts of data privacy, at Pryv, we continuously invest our best efforts to deeply investigate how data protection regulations might affect your company and what you should keep in mind when dealing with sensitive personal data.

While the GDPR has already started to collect its fees from non-compliant companies, the European Union keeps tightening up its digital market standards, and third countries like Switzerland might be left with no choice but to adapt if they want to keep exchanging data with Europe. So where do you stand in the middle of all these regulations?

In this article, we will try to provide you with a comprehensive overview of the current Swiss-EU privacy landscape, and help you prepare for what’s coming next.

GDPR

If you have a Swiss company and you’re dealing with sensitive personal data, chances are that GDPR-compliance has been your concern for some months now.

Effective since 25 May 2018, the GDPR raised the bar at a whole new level for data protection and privacy regulations, leaving tons of companies collecting and/or processing EU citizens personal data with the only choice of either complying, or paying fines up to €20M or 4% of annual income. And this was just the beginning.

At its core, GDPR is a response to a need for action. But the GDPR was not only designed to ensure an adequate level of data protection for EU citizens. It was also designed to set up a new standard, and help implement the current European strategy for a EU Single Digital Market.

So how exactly might this affect your company? Well:

  • Privacy rights of European citizens are not limited by European borders (ref: https://gdpr-info.eu/art-3-gdpr/): so whether your company is based in Europe or not, if you want to expand your offer of services to EU citizens (or even monitor their behaviour within the EU), you will have to comply with the GDPR first.
  • Personal data transfers outside the EU are subject to numerous provisions under the GDPR (ref: https://gdpr-info.eu/art-44-gdpr/): so at some point, if you want to exchange data with Europe, you may have to demonstrate that your company provides an adequate level of data protection for this data.
  • The Swiss Data Protection Act (“Swiss DPA”) has been revised and will force Swiss companies to better align with the European standard: so even if you’re a Swiss-only business, you will still have to comply with a number of GDPR-like requirements.

Also, if you’re in the healthcare business: the GDPR provides an extra level of protection regarding the processing of specific personal data like genetic data, biometric data and any data concerning health (Ref: https://gdpr-info.eu/art-9-gdpr/), adding yet another level of requirements to meet with.

Did you take all that under consideration?

Swiss DPA

The GDPR does not only affect Swiss companies, but also Switzerland itself.

As a new Swiss DPA (“revDPA”) has been adopted by the Swiss parliament in September 2020, a number of GDPR-like requirements will soon make their appearance in the Swiss legislation as the GDPR was largely taken under consideration during the revision.

For example, the revDPA introduces a right to portability, a duty to inform of any personal data collection, and an obligation to keep an inventory of processing activities, similarly to what is currently provided by the GDPR.

So what does this mean for you? Well, even if you’re not dealing with Europe and are not planning to, if your company falls under Swiss DPA, you will have to comply with all of its new GDPR-like requirements when the revDPA comes into force.

To know more about the key amendments and its impacts on Switzerland, we encourage you to read the text of the revDPA project and the sources provided at the end of this article, especially this one, by François Charlet, which highlights the changes and measures to be taken.

Another thing that you might want to keep in mind is that all of these new obligations will largely apply as soon as the new law comes into force. And as outlined in an article written by Walder Wyss Associates, sharing recommendations for revDPA implementation, “the implementation of the revDPA requires early planning“. 

Therefore, even if the revDPA is expected to come into force in 2022, we strongly advise Swiss companies to not wait until then to start preparing for it.

ePrivacy

As said before, the GDPR was just the beginning.

In the pursuit of its strategy for a single digital market and to reinforce the level of privacy protection of its citizens, the EU is now under discussion to endorse a new regulation intended to replace the current ePrivacy Directive and specify/complement the GDPR: the ePrivacy Regulation (ePR).

To keep it simple, the ePR is having similar focus as the GDPR but specifically targets electronic communications. From that perspective, it is most likely that Swiss companies will be impacted, too. A revised draft for the ePR has just been released in November 2020.

So what should you know? Well, since the ePR is intended to specify/complement the GDPR:

  • If the GDPR applies to you, so could ePR if your offer of services extend to electronic communications.
  • In case of conflict between the two regulations, ePR will take precedence over the GDPR (which means it will be applied first).

Also, ePR fines for non-compliance are expected to be as high as in the GDPR: so in case of infringement, you could have to pay a fine of up to €20M or 4% of your company’s annual income (whichever is higher). Wouldn’t it be better to invest into a compliance strategy instead?

While the ePR is intended to particularise and complement the GDPR, it is also foreseen that it “will have a disruptive effect on companies’ digital strategies, which will need to be redefined to meet the new requirements.” However, it doesn’t necessarily have to.

As we like saying at Pryv, in cases like this, you just have to establish a solid and scalable foundation prior to building the house. Thus, you’ll be sure that eventually, your system components will be scalable to comply with any new forthcoming requirements.

And if you’re in the healthcare business…

ePR is not the only new EU regulation that is to be expected within the next few years. As Europe keeps raising the standards of its regulations, a new regulation for medical devices is also making its way towards the EU market: the Medical Device Regulation (MDR).

Especially, if you’re developing a mhealth app: MDR could become a major concern for you as your software could now be registered as a “medical device” under this new legislation, adding yet another level of requirements to comply with.

As it may feel like a downfall of complex challenges for your company, it doesn’t have to be.

Get your MDR compliance done right: explained in a less than 5 minutes read

Since 2015, we have been discussing with hundreds of healthcare innovators and listening to their needs, so that we could help businesses like yours build solutions that respect not only data privacy and protection regulations, but also existing and forthcoming regulations for managing personal health data.

The end… or the and?

By design, when we decided to bring Pryv.io on the market as a ready-to-be-used solution for personal and health data, we invested in making sure that we can ensure your products can easily benefit from integrated compliance over different industries and market-specific regulations.

Book a demo to know more about how Pryv.io can help you comply with Swiss DPA, GDPR, ePrivacy and boost your time to market, turning your compliance investment into a competitive advantage.

Yours,

Stephanie & Evelina

Sources:

[to know more about the new Swiss DPA]