Important legal changes are on the horizon in Europe and Switzerland. Implications for companies include, but are not limited to, increased documentation duties, a need to amend processes in line with new notification duties, and measures to delete personal data. New financial penalties are intended to add weight to the seriousness of data protection in the future.


The EU General Data Protection Regulation (GDPR) is binding with effect as of 25 May 2018. It’s the first major piece of EU legislation that applies to residents and organisations in all 28 EU states. The GDPR also applies to Swiss companies in certain circumstances, e.g. when they provide goods or services within the EU and handle personal data (in Switzerland) in the process.

Core components:

  • Stricter fines: up to EUR 20 million or – if higher – up to 4% of the company's annual turnover 
  • Strict documentation duties: evidence that personal data is processed in accordance with the requirements 
  • Duty to report data protection breaches within 72 hours to the extent possible 
  • Definition of a retention period for personal data and duty to delete thereafter 
  • Extended powers of supervisory authorities

Overhaul of the Swiss Federal Act on Data Protection

In September 2017, the Swiss Federal Council also published a draft for the overhaul of the Swiss Federal Act on Data Protection. Its close alignment with the GDPR is reflected in the main features. Although the Swiss draft is more general in nature, Swiss companies will in future also face increased documentation, information and notification duties.

A major difference concerns the planned sanctions model. The high penalties threatened by the EU are not to be adopted; in Switzerland, the fine for a data protection breach are not to exceed CHF 250,000. In contrast to EU practice, however, it is not the company that is fined but rather the company representatives personally. Usually this would be the board of directors or members of the executive committee. The company can be held accountable for the fine instead of the individuals only in the case of smaller penalties (under CHF 50,000). The revised Swiss Federal Act on Data Protection appears to be on track to enter into force in 2019. We recommend that companies start now to examine their internal processes and adapt them in line with the new requirements.

Want to know more?