THE GDPR in the swiss context AND IN YOUR COMPANY: already an obligation in some cases


You may have heard of the GDPR and the swiss LPD. What do these two acronyms cover and what obligations do they impose on a Swiss company?

The General Data Protection Regulation (GDPR) is the new legal framework for the European Union and the European Economic Area, which has governed the collection and processing of users' personal data (EU 2016/679) since May 25th, 2018. It concerns Swiss companies that collect such data from members of the European Union. For example, hotels, banks, doctors, trustees, any company with clients within the EU.


Are your customer data well protected?

LPD (Data Protection Law) RS 235.1 is the Swiss law of 1992 which aims to protect the personality and fundamental rights of people who are the subject to data processing by private individuals and federal bodies. The law is considered outdated and is under review to align with the GDPR in order to comply with the EU in particular in criminal proceedings and to move closer to the "Schengen" requirements of the EU Regulation 2016/679. An intermediate law (LPDS) has been in force since March 1st 2019, but does not apply to businesses. A bill of Sept. 28th 2018 has been introduced to amend the DPA. All Swiss companies will have to comply.

If you have prospects or customers in the EU, the GDPR can apply to your swiss business. If you have a website collecting particular personal data too. If you are subcontractors of an EU company that collects data also in some cases. And the coming new swiss LPD will also apply.

In particular, the purpose of processing the sensitive data collected must be known to the applicant. Did you know that? As a "data master" you have obligations to fulfill and let people know that you are complying with them!

We can quickly assess whether your company is subject to the GDPR and accompany you to put in place the necessary procedures.

The FRACTAL intranet portal we offer to improve your organization and sharing information in your business can also make it easier for you.

In addition

  • What is the GDPR?

The acronym GDPR means "General Data Protection Regulation" (GDPR). The GDPR supervises the processing of the personal data of residents in the European Union directly or through subcontractors.

  • Does the GDPR apply to Swiss companies?

Yes, as soon as they process the personal data of EU residents or store sensitive data, for example on their website. And if you are ISO 27001 certified, the GDPR is practically fulfilled.

  • What is sensitive data?

These are data that is "sensitive from the point of view of fundamental freedoms and rights." Their treatment is prohibited with exceptions.

It is: "the processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership, as well as the processing of genetic data, biometric data for the purpose of identifying a natural person in a unique way, health data or data relating to the sexual life or sexual orientation of a natural person are prohibited."

  • The RGDP only deals with sensitive data?

No, the GDPR imposes ways to manage the information of personal data from the point of views of: the purpose of processing, transparency, and security.

It is along all these points that we analyze with you the case of your company and we assist you to put the necessary procedures and registers in place.

  • Do you have a DPO ?

We may also receive a mission to delegate the function of data protection officer.

  • What is an DPIA ?

The DPIA is the acronym for: a data protection impact assessment It is an important tool for the accountability of organizations: it helps them not only to build privacy-friendly data processing, but also to demonstrate compliance with the General Data Protection Regulations (GDPR). It is mandatory for treatments that can lead to high risks.

  • The DPIA is split down into three parts:
  1. A detailed description of the treatment implemented, including both technical and operational aspects;
  2. The more legal assessment of the necessity and proportionality of non-negotiable fundamental principles and rights (finality, data and shelf life, information and rights of persons, etc.), which are set by law and must be respected, regardless of the risks;
  3. The more technical study of data security risks (confidentiality, integrity and availability) and their potential privacy impacts, which determines the technical and organizational measures needed to protect the data.

It should be noted that data protection impact assessment (DPIA) and PIA (Privacy Impact Assessment, a more common term used in other parts of the world) are synonymous.

Jean-Christophe Hadorn

Jean-Christophe Hadorn

Date de la mise en ligne :

May 10, 2020