In just a few months, on May 25, 2018, the new EU General Data Protection Regulation (GDPR) will come into force. As a consequence, the appointment of an EU data protection officer will become mandatory for many Swiss companies that do not have a domicile in the EU.
This is because companies not established in the EU must, if their data processing is related, i.e.
a) offer goods or services to data subjects in the EU against payment or free of charge
or
(b) monitoring the behavior of data subjects (“tracking” or “profiling”), to the extent that this is done in the EU
mandatorily appoint a representative in the EU in writing.
The representative in the EU shall be instructed to serve as a point of contact in particular for supervisory authorities and data subjects for all questions in connection with the processing to ensure compliance with the GDPR.
? | Is your company established in Switzerland (and not in the EU)? |
→ | Yes – to the next question: |
? | Is the data processing related to offering goods or services to data subjects in the EU against payment or free of charge? |
→ | No – to the next question: |
→ | Yes – to the last question: |
? | Is the data processing related to monitoring the behavior of data subjects insofar as their behavior takes place in the EU? |
→ | Yes – to the last question: |
? | Is the data processing occasional or does not involve large-scale processing of special categories of data and is not likely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, circumstances, scope and purposes of the processing? |
→ | No, designate representative in writing |
The principle from Art. 27 GDPR on this is: a natural or legal person established in the EU who has been appointed in writing by the controller or processor and represents the controller or processor in relation to the obligations incumbent on them respectively under this Regulation.
Only public authorities and public bodies and only the occasional processing of personal data are exempt from having to appoint an EU Data Protection Officer.
The word “occasional” offers a lot of leeway in this context. Companies that want to be on the safe side define a representative.
Companies that are subject to the GDPR are committed to taking action. To implement the GDPR, various tasks must be clarified, assigned and completed by May 25, 2018. Because those who do not comply with the new regulation risk heavy fines. Get a step-by-step guide to implementing the GDPR in your company free of charge in this whitepaper (only available in German).