Copyright © Media Law International 2018. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
1. Under the GDPR, the processing of personal data always requires the data subject's consent – WRONG
Unlike the Swiss Federal Data Protection Act (DPA), the GDPR is based on the principle that the processing of personal data is prohibited. A good reason (a so-called legal basis) is required for data processing. Consent is only one of six possible legal bases for data processing (Art. 6(1) GDPR).
Consent is actually the basis that should last be relied on in most cases (grounds: strict requirements concerning the validity, revocability at any time, and time-consuming management of consents – so-called "consent management"). This applies even to the processing of special categories of (particularly sensitive) personal data (Art. 9(2) GDPR) and to so-called "profiling" (Art. 22(2) GDPR).
The following legal bases will be more relevant and easier to manage in practice: Necessity for the performance of a contract with the data subject; controller's compliance with a legal obligation laid down in EU or Member State law (not Swiss law!); or overriding legitimate interests pursued by the controller or a third party.
2. Under the GDPR, consent is always required for profiling on the basis of personal data – WRONG
The processing method of profiling is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalisation of offerings.
Only by adopting an extremely broad interpretation of the relevant provisions (in particular, Arts 22(1) and 35(3)(a) GDPR), one could conclude that "profiling" for targeted advertising or personalised offers are subject to increased requirements – namely, mandatory opt-in and performance of a data protection impact assessment. The more relevant piece of legislation for online advertising will be the new ePrivacy Regulation.
That Regulation is still being debated, and online industry interest groups continue to lobby heavily. The ePrivacy Regulation might ultimately result in a mandatory granular opt-in for each method applied for targeted advertising (consent requirement for individual tags and cookies).
3. GDPR applies to data processing by Swiss online media if they deliver goods or provide services to end customers in the EU – WRONG or INACCURATE
It is not the provision of goods or services that triggers the applicability of the GDPR. Rather, the offering of goods or services (with or without a payment) to end customers in the EU (or in the EEA) makes the corresponding processing of personal data subject to the GDPR.
Data processing by Swiss online media that recognisably target their offering (also) to the EU end-customer market (e.g. advertising that is also directed to end customers in the EU or offerings of an online store provider that recognisably also targets end customers in the EU) will fall within the scope of the GDPR pursuant to Art. 3(2)(a) GDPR. In addition
to the principle of establishment (Art. 3(1) GDPR), the GDPR relies on the principle of market effects (Art. 3(2) GDPR).
Decisions by courts or data protection supervisory authorities will have to sharpen the criteria to determine when an offering targets the EU end-customer market. By way of example: If an online job posting is accessible for potential candidates in the EU but the workplace is in Switzerland, the recruiter or the online job platform do not make an offer. Instead, they invite potential candidates to apply for a job in Switzerland.
On the other hand, if an online ad invites patients in the EU to participate in a clinical study (offer of a service) in Switzerland, the corresponding processing of personal data relating to the participating individuals from the EU will be subject to the GDPR.
Even the "monitoring of behaviour" taking place within the EU (Art. 3(2)(b) GDPR) will be subject to the GDPR only if the monitoring occurs in connection with an EU end-customer market orientation (reasonably foreseeable effect on the EU end-customer market). This is required by the fundamental principle of public international law known as comity (mutual respect of jurisdiction) and corresponds to the principle of market effects, as also applicable under EU competition law.
4. If Swiss online media target their offering to the EU end-customer market, the company as such will be subject to the GDPR for all data processing operations – WRONG
The GDPR applies to specific data processing operations, not to organisations in general. The processing of personal data of employees in Switzerland and data processing in connection with the offering of services to end customers (individuals) based in Switzerland is governed by Swiss data protection or employment laws. This applies even if data processing by companies in Switzerland in connection with the offering of services on the EU end-customer market (or the monitoring of user behaviour, which occurs in the EU) is subject to the GDPR.
Swiss group companies often centralise payroll accounting, expense management, email or internet use monitoring in subsidiaries domiciled in the EU. They are then subject to the GDPR in respect of such data processing in the context of the subsidiary's activities. However, they do not automatically fall within the scope of the GDPR for all other data processing activities.
5. Data processing activities of Swiss companies are subject to the GDPR if they engage a service provider in the EU to carry out the data processing on their behalf (cross-border outsourcing) – WRONG or INACCURATE
The GDPR applies to data processing carried out in the context of activities of an establishment of any processor established in the EU (e.g. operators of a data centre in Ireland). The GDPR, however, does not apply to data processing activities of Swiss companies only because they outsource their activities to a processor established in the EU (e.g. if a Swiss online platform is hosted by Amazon in Germany).
The determining factor is the responsibility for the actual data processing. Companies in Switzerland must comply with the Swiss DPA in relation to data processing for which they are subject to the Swiss DPA (and not the GDPR). This is true even if they outsource such data processing activities to processors established in the EU.
6. The GDPR introduces a uniform and harmonised legal framework for the processing of personal data in the EU – WRONG
The GDPR contains numerous (around 70) opening clauses – some mandatory, some optional. Optional opening clauses enable Member States to provide, in their data protection or other laws that implement or supplement the GDPR, exceptions or derogations from certain provisions of the GDPR (such as information requirements and disclosure obligations)
- Art. 88(1) GDPR enables Member States (within certain limits) to enact more specific provisions for the processing of employees' (e.g. for the purposes of ensuring equality and diversity in the workplace, safeguarding health and safety in the workplace, protecting the privacy of employees, or the performance of employment contracts). Numerous Member States (e.g. Germany, like Switzerland in Art. 328b Code of Obligations) provide, for instance, that the employer may only collect and process types of personal data about employees which are job-related.
- Art. 23 GDPR allows Member States (within certain limits) to enact exceptions, in particular, from the extensive information obligations (Art. 12–14 GDPR) and the access rights (Art. 15 GDPR). Germany has made extensive use of that in the revised German Federal Data Protection Act (FDPA).
- Art. 37(4) GDPR allows Member States to require companies to appoint a data protection officer even if they would not be required to do so under the GDPR. Under the revised FDPA, companies must (as before) always appoint a data protection officer if at least ten employees regularly engage in automated processing of personal data (which is true for almost all companies with ten or more employees).
Mandatory opening clauses obligate Member States to enact implementing regulation, for example to establish required institutions (such as one or more data protection supervisory authorities), or to provide effective remedies.
7. The Swiss Federal Data Protection and Information Commissioner will enforce the GDPR against companies in Switzerland – WRONG
The data protection supervisory authorities in the EU that are competent pursuant to the GDPR (Art. 55) are responsible for enforcing the GDPR against companies in Switzerland whose data processing activities are subject to the GDPR – not the Swiss Federal Data Protection and Information Commissioner. In practice, data protection supervisory authorities in the EU Member States will not be in a position to enforce fines against companies in Switzerland without cooperation agreements between the EU and Switzerland.
However, companies in Switzerland are obliged (with a few exceptions) to appoint a representative in the EU (Art. 27 DSGVO) if the DSGVO is applicable to their data processing on the basis of the principle of market effects (Art. 3 (2) DSGVO). Regulatory authorities can serve the representative with injunctions against the represented company and thus avoid the route via international legal or administrative assistance.
Although Switzerland is not part of the EU, Swiss online media may have to comply with the GDPR if their platforms target the EU market or generate sufficient effect on the EU market. Swiss online media therefore need to make an assessment of data processing activities that may be subject to the GDPR. In practice, global advertisers and media agencies push Swiss publishers for GDPR compliance, irrespective of whether or not such compliance is required from a purely legal perspective.
The wording of the GDPR is not a bright example of an easy to understand and simple legal act. It gives rise to numerous misinterpretations, of which we have only highlighted a small selection from our practice as relevant to online media operating from Switzerland. However, the GDPR can be credited for bringing the issues of data protection and data security to the attention of the top management of companies (far beyond the media industry) even in Switzerland.
The potentially significant fines may have played their part in fostering these developments. Regardless
of the legal requirements, the unease of employees and consumers with regard to the handling of their personal data by online media is real. Compliance projects should therefore not only gear towards
GDPR compliance. Rather, the paramount goal of such projects is to strengthen the trust of customers
The somewhat ambiguous wording and complexity of the EU General Data Protection Regulation (GDPR) favour the creation of myths and misunderstandings. Some of them also find their way into publications and recommendations of advisors. In this paper, we highlight seven myths that we encounter in our practice (namely in the ongoing GDPR compliance projects for Swiss online media) and clarify the corresponding misunderstandings.
Rolf Auf der Maur
Since the beginning of his career as an attorney in 1992, Rolf Auf der Maur has focused on the legal aspects of the internet, combining his fascination with new communication technologies with his legal expertise. His clients include leading companies from the media and entertainment industries as well as from the telecommunications and information technology industries. In addition to his activities as an attorney, Rolf publishes and speaks regularly on internet-related legal issues and is a member of various industry bodies (e.g. as a board member of simsa Swiss internet industry association, IAB Switzerland and the International Association of Entertainment Lawyers). Renowned as a leading expert in Switzerland in his field, Rolf is listed as "1st Tier" for TMT in Chambers & Partners and other directories.
Thomas Steiner’s practice focuses on data, competition and technology law. He heads the Data & Privacy practice team. Thomas Steiner preferably advises companies on data law aspects of digitalisation – with a particular focus on regulated markets and often in a cross-border context. As an attorney in the Antitrust and Competition practice team, Thomas Steiner represents clients in litigation, regulatory investigations and in merger control proceedings.