The EU’s General Data Protection Regulation comes into force

The European Union’s General Data Protection Regulation (GDPR) will be directly applicable starting on 25 May 2018. It reinforces the rights of natural persons in terms of control over their personal data and is binding for all member states of the European Union, some of which have already passed transposition laws to this end. However, the GDPR also has an extra-territorial impact. A large number of companies in Switzerland will therefore have to adhere to both the provisions of the Swiss Federal Data Protection Act, which is under revision, as well as those provided in the GDPR. New provisions often entail legal uncertainties, as they give rise to a broad range of opinions on various points. Often, a prevailing view must first be established. The Federal Data Protection and Information Commissioner (FDPIC) and law firm Homburger [insert link], for example, have both published inconclusive analyses regarding the ramifications of the GDPR for Switzerland.

The coming into force of the GDPR naturally also has a direct and significant impact on banks domiciled in Switzerland. Institutions with branches or subsidiaries in the EU that have centralised IT organisations which also process information for the branches or subsidiaries in the EU, and Swiss data processors that operate for companies in the EU must in particular comply with the requirements set out under the GDPR.

The GDPR will also be reflected in the Swiss Federal Data Protection Act (DPA), which is currently under revision. It is paramount that the provisions set out under the DPA not go beyond those of the GDPR. A “Swiss finish” should in particular be avoided in order to ensure that Switzerland remains generally attractive as a business location and in particular as a financial centre.