May 25, 2018 caused quite some trouble for many companies: Many believe that anyone with cus­tomers or employees in the EU who was not in compliance with the new EU General Data Protec­tion Regulation (GDPR) as of that date would soon face fines. Many consultants stoked the fears, while at the same time promising that companies could become «GDPR-compliant» by undertaking major implementation projects. However, those that took advice of less agitated experts were able to sleep soundly and also utilize their resources much more efficiently.

While the GDPR is by no means a trivial matter, the new data protection law in Europe is not be as bad as it sometimes was made out to be. We are taking this opportunity to do a reality check, report on our initial experiences, and take a look at what is yet to come:

• As expected, May 25, 2018 passed without major incidents. Granted, the Austrian data protection activist Max Schrems (whose law­suit against Facebook in the ECJ at the time put an end to the «safe harbor» regulations) immediately announced a number of new law­suits against Facebook and other companies, but a flood of litigation against less prominent companies continues to be unlikely.
• Most of the data protection authorities in Eu­rope continue to be overstrained due to a lack of personnel and in many cases do not even respond to reports of data protection violations. They will still need some time to cope with their new tasks and are looking for additional staff in many places, insofar as they even have corre­sponding budgets. But this phenomenon is nothing new. As an employee of a European data protection authority put it: «We are not go­ing to travel through the country beating peo­ple over the head with a club. Instead, we want to help companies become data protection compliant.»
• Many requirements of the GDPR remain un­clear, and many will not be cleared up for the foreseeable future. However, this is not neces­sarily a disadvantage, as it gives companies the freedom to interpret these requirements in pragmatic, practical ways. Unfortunately, the literature and recommendations from the au­thorities do not always provide the necessary assistance. In practice, companies often have to make decisions involving a certain degree of risk.
• Many companies based in Switzerland con­tinue to ask us whether the GDPR applies to them, as well. An official statement from the EU data protection authorities regarding their interpretation of Art. 3(2) GDPR, which con­cerns this issue, has been slow in coming. However, the currently prevailing view is more liberal than two years ago regarding the extra­territorial effect of the GDPR. For example, it is widely recognized that, just like employing cross-border workers from the EU in Switzer­land or offering products or services to busi­nesses and not to private individuals in the EU does not automatically result in the application of the GDPR, neither does outsourcing to a commercial provider in the EU. If you would like to check whether and to what extent you fall under the GDPR, you can do this by using Form C.1 in the Data Protection Self-Assess­ment Tool developed by us (http://dsat.ch/) (see below).
• Beginning on July 20, 2018, the GDPR applies in the entire EEA, i.e., also in the Principality of Liechtenstein. That is an unwelcome sur­prise for many Swiss companies, as they be­lieved they were exempt from the GDPR be­cause they did not engage in business with consumers in the EU. There are many Swiss companies that do not sell into the EU, but do indeed sell to Liechtenstein. The reasons for this are partly historical and partly legal. For in­stance, Swiss direct insurers may also engage in business in Liechtenstein based on their Swiss license from FINMA. Many of these companies now have to implement the GDPR for their private customers in Liechtenstein. As these customers are often serviced via the same systems and processes as the Swiss customers, these systems and processes must be adapted comprehensively – and for many companies much earlier than expected. They had hoped to have a bit more time thanks to the delay in the revision of the Swiss Federal Act on Data Protection (FADP). The good news: At any rate, at least until such time as the FADP is revised, neither the Liechtenstein Data Protection Office nor any other data pro­tection authority in the EEA should be able to execute enforcement measures against com­panies in Switzerland. Switzerland does not provide administrative assistance in such cases, and an authorization pursuant to Art. 271 Swiss Criminal Code (SCC) seems un­likely at present. It is more likely that the Swiss Federal Data Protection and Information Com­missioner (FDPIC) would take action based on his own legal powers and interpret the FADP in accordance with the GDPR, although he has no power to impose sanctions.
• The revision of the FADP is being delayed considerably longer than was originally planned. The Swiss Federal Parliament does not want to be put under pressure in this re­gard. Although the bill was not rejected, as was initially feared, it was divided into two parts: To begin with, the part of the revision that is necessary for the Schengen Area will be implemented (it is supposed by EU to be im­plemented as of August 2018) so that the Fed­eral Parliament can take its time to debate the remainder of the revision. We do not anticipate radical changes from the Federal Council’s draft of September 2017, but we expect that the «Swiss Finishes» that go beyond the GDPR will be removed (an in-depth article in German is available here: https://goo.gl/8iV8vt). How­ever, unlike under the GDPR, we anticipate that criminal rather than administrative sanc­tions will apply in Switzerland (at present, these are envisaged to apply against the pri­vate individuals responsible with regard to a relatively small number of offenses). Based on the current state of affairs, it is unlikely that the bill will be passed in 2019. As we can assume a two-year transition period, the provisions of the revised FADP would not apply until 2022. Consequently, the FADP will require Swiss companies to implement many of the updates to the GDPR, as it will contain these updates as well, but it will be some time before that happens.
• One of the issues that is keeping our clients especially occupied at present is the distinction between data «processors» and the role of the «controller.» Many companies still incor­rectly assume that any service provider or au­thorized person who is granted access to data pertaining to the company is automatically a data processing provider (or in the terminology of the GDPR: a «processor»). This would mean that it would need a corresponding agreement, for which Art. 28 GDPR prescribes the re­quired content in detail. Accordingly, many of our clients have been asked by their business partners – without a legal basis – to sign such contracts, without having examined the situa­tion more closely. If an insurance company in­sures a company’s employees, the insurance company processes the employees‘ data on its own responsibility and is therefore not a pro­cessor. Its service does not consist of data processing; rather, it processes the data on its own in order to provide its service. Likewise, attorneys are not normally their clients‘ proces­sors.
• Another hot topic is the rights of data sub­jects, such as the right to information or eras­ure. Many companies feared that they would be inundated with such requests after May 25, 2018. We recommended defining the responsi­bilities but taking a wait and see approach. This has proved worthwhile: Most of the com­panies that deal with consumers did at times observe a slight increase in the number of such inquiries and requests. But there was no flood of such requests or any other serious problem. In this regard, it is important to note that the rights of data subjects – with the ex­ception of the right of data portability – already existed in EU law. The Swiss FADP also grants data subjects a right of information, cor­rection, erasure, and objection. If a person as­serts his/her rights, it is important to identify them reliably and to ask relevant follow-up questions; in many cases, the persons do not respond, and there is no need for further ac­tion.
• Then again, we have received initial reports from Germany of warning letters regarding websites that allegedly are not GDPR compliant. These warning letters are generally sent by „warning associations“ or attorneys. They find fault with the lack of a GDPR-compliant privacy statement, the erroneous integra­tion of third-party offerings such as Google Fonts or Google Analytics, or the integration of tools and plug-ins that are not permitted under German law. They call for a modification of the website, a declaration of discontinuance and, above all, coverage of the costs of providing the warning letter, which is permitted under German law in certain circumstances. Unfortu­nately, there is also abuse on the part of the parties issuing these warning letters, who count on the fact that the targeted companies do not want the matter to be brought before the courts. If a company receives a warning letter, it should review its privacy statement and ensure that it only uses data protection-compliant tools and plug-ins, and at any rate never issues a declaration of discontinuance without a proper review. Insofar as companies in Switzerland are affected, which occurs fairly infrequently, we also generally recommend not making any payments. So far, there has not been any court decision as to whether and to what extent warning letters concerning GDPR violations are permitted.
• The deluge of «opt-in» e-mails may also have been an annoyance to many people in the weeks prior to May 25, 2018. These e-mails asked the recipients to confirm that they wanted to continue to receive newsletters and other promotional mailings from the relevant company. Anyone – like most recipients – who did not respond received increasingly dra­matic-sounding reminder e-mails to please grant their consent. We opted to forego send­ing such an e-mail to our clients and also ad­vised most of our clients to do the same. In most cases, such e-mails were unnecessary or not expedient – it caused a number of compa­nies to lose a large number of their marketing addresses.
• Many companies also did not realize that apart from the requirements pertaining to a valid consent, the GDPR did not entail many new features with respect to marketing e-mails. The sending of marketing e-mails is governed else­where in EU law, namely in the ePrivacy Di­rective. Plans are to also adopt it – quasi as a special data protection law – in addition to the GDPR in the form of a Regulation. Originally, the ePrivacy Regulation was supposed to en­ter into force together with the GDPR, but sig­nificant delays occurred because of differences over its content. Entry into force is not ex­pected until 2019, with a transition period of another two years (see https://www.bvdw.org/themen/recht/eprivacy-verordnung/). It regulates issues such as ad­vertising mailings and cookies and, like the GDPR, shall also apply extra-territorially and be equipped with the same sanctions regime. It is expected that many more Swiss busi­nesses will fall under the ePrivacy Regulation than under the GDPR.
• In the meantime, GRPR implementation pro­jects are continuing in many companies. In the period before May 25, 2018, most companies focused on publishing a GDPR-compatible pri­vacy statement, making an inventory of data processing actions, establishing a process for reporting data security violations, and issuing basic instructions for handling personal data, where these did not already exist. Another pri­ority was the execution of GDPR-compliant contracts for the outsourcing of data processing to providers and for the international exchange of data, but especially in these two areas many businesses have only just started making progress. A large number of contracts still need to be adapted. Most companies also have yet to perform an actual evaluation of their data protection compliance and conduct data protection impact assessments. In many places, these projects will continue into 2020. A risk-based approached is being pursued in this regard, and companies are well advised not to throw the baby out with the bath water: What is important is that a company have a plan as to how it aims to comply with the GDPR and the revised FADP, and that it works consistently to implement this plan.
• Finally, a note on our own initiatives: In the course of advising our clients, David Rosenthal developed a tool that companies can use to assess their data protection compliance with both the GDPR and the revised FADP (based on the Official Statement of the Federal Coun­cil). This «Data Protection Self-Assessment Tool» (DSAT in German) differs from all other tools in that it contains not only the typical questions used for assessing data compliance, but also all the typically possible answers. Thus, it can also be used by persons who do not have any special expertise regarding data protection. DSAT is now available to everyone at no charge via the website http://www.dsat.ch. This tool has become very popular; even the FDPIC has made reference to it. To provide it with a broader base, David Vasella, a data protection specialist from an­other Swiss law firm, is also involved as part of the tool’s editorial team.
• Homburger has also adapted its own privacy statement even though the GDPR only ap­plies to Homburger peripherally. Our new pri­vacy statement may be accessed here: https://www.homburger.ch/de/datenschutzerk-laerung

– Additional documents regarding data protec­tion may be found here: www.hom-burger.ch/dataprotection. This also includes a synoptic description of the GDPR in English and German in DIN A5 format, including the most recent adaptations of the GDPR made in April 2018.

Should you have any questions, please do not hesitate to contact us. We will be happy to put our experience to work assisting you in implementing the GDPR and the forthcoming FADP in your com­pany using a risk-based and pragmatic approach.