Is my company subject to the GDPR?

General Remarks

The General Data Protection Regulation (GDPR) has been, is and will continue to be the subject of much debate.

For Swiss companies, the question arises as to how far this regulation applies to them. While many have raised the spectre of colossal sanctions in the event of non-compliance with the GDPR, it is still necessary for it to be applicable to them, which in reality is far from being as systematic as some have tried to make it seem.

Without going into the details of the text of the GDPR itself, its possible application to companies having their registered office in Switzerland is determined by Article 3, paragraph 2, which reads as follows:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour takes place within the Union. »

It is above all letter (a) that will hold our attention here. According to this provision, a company with its registered office in Switzerland thus appears to be subject to the GDPR insofar as it processes the data of natural persons in the Union, in connection with an offer of goods or services.

The European Data Protection Board (EDPB) has had the opportunity to give its opinion on the interpretation that should be given to this provision in the context of Guidelines 3/2018 adopted in their latest version on 12 November 2019. What should be retained?

A distinction is to be made as to whether or not the company has an online activity:

The impact of offline business on the possible application of the GDPR

If the Swiss company only operates offline (i.e. without using an e-commerce website), and its activities are only offered in Switzerland, the application of the GDPR should not come into play. Two points should be made in this regard:

• First, the GDPR only applies if the processing concerns data of persons who are in the Union at the time of the processing. In other words, the processing which takes place while such a resident is in Switzerland does not trigger the application of the GDPR. For example, the data processing in Switzerland of a European resident passing through Switzerland for a few days does not result in the application of the GDPR to the companies that process data of this resident during his stay. If the company only promotes and carries out its activities in Switzerland, the application of the GDPR will thus not come into play, even if the company processes data of European nationals in the course of its activities.
• Second, the GDPR only applies in connection with an offer of products or services to individuals in the Union. This is therefore not the case for a Swiss company employing foreigners who are nationals or even residents of the European Union. The processing carried out is then made necessary to execute the employment contract binding the Swiss company to its employees, it occurs in principle only on Swiss territory and is not related to an offer of products or services. In other words, the fact that a Swiss company has cross-border employees does not result in the company being subject to the GDR.

For many Swiss companies, the question of the application of the GDPR therefore arises above all through a possible website and the online transactions that may follow, possibly through the provision of an online service.

The impact of e-commerce on the possible application of the GDPR

The decisive criterion thus consists of assessing whether the company “offers goods or services to persons in the Union” at the time of the processing.

In this context, the mere fact that a website is accessible anywhere in the world is not sufficient to be considered as an “offer“. A certain targeting of individuals in the Union, reflecting an intent to reach them, is therefore necessary.

Whether such individuals are being targeted will have to be assessed on the basis of various criteria, in particular the way the site is configured, displayed and promoted through various marketing campaigns (online or offline). Among the criteria to be considered are the following:

• The language of the website. To enable the display of a website in a language other than an official language may be considered as targeting foreign nationals. However, this criterion alone will not always be decisive. For example, it should in my view be possible to admit that an English version is admissible in Switzerland given the large English-speaking community on our territory. Similarly, a site dedicated to minorities in Switzerland, offering products of origin and written in the language of this minority, should not be interpreted at the same time as targeting these nationals in their country of origin.
• The general terms and conditions may also be taken into account in assessing any targeting. In my view, however, here again, the fact that deliveries to Switzerland are not limited to Switzerland should not yet be sufficient to consider it as meaning that there is an intent to target European nationals; like the accessibility of the site, the spontaneous purchase of a product by a European national on a “.ch” site and its subsequent delivery, i.e. a form of passive sale, should not, in itself, be considered as targeting such individuals. This will however be the case if, on the contrary, the conditions expressly provide that delivery is possible throughout the European Union. However, one should be cautious in the sense that, in my view, mere passive sales (i.e. sales initiated spontaneously by European nationals without having been solicited in one way or another by the site operator) do not seem to be able to be considered as reflecting a form of “targeting” in the sense required by the GDPR.
• The reference to an international code will imply an openness to foreign customers. However, the mention of +41 should not in itself be sufficient to conclude that there is international targeting when this element is not supported by other criteria. It goes without saying that the indication, on the other hand, of a contact point and number in the Union will imply such targeting. The following criteria will however be conclusive of such targeting :
• The currency. Contrary to the previous criteria, which in themselves may be insufficient to conclude that there is “targeting”, the fact that payment in a currency other than the Swiss franc, notably in Euros, is possible, will be a convincing indication that the Swiss company is also targeting European nationals.
• The ccTLD, e. the extension under which a domain name is registered. The registration of a domain name under a given geographical extension (for example “.fr” or “.de”) implies that the company intends to provide its services to the public in question. In my opinion, the mere holding a gTLD such as “.com” should however not, in itself, be conclusive of such targeting.
• The marketing campaigns. The fact of carrying out marketing campaigns in the Union will obviously reflect an intent to target European nationals. In this respect, it will be in the company’s interest to be cautious in the way it (or its agency) designs online campaigns through services such as Google Adwords or on social networks; the fact that the geographical scope of such advertisements is not limited to Switzerland alone but may be viewed in the Union should be construed as a willingness to target the European Union.

The impact of the application of the GDPR

In the light of the above, it is clear that if a Swiss company that only operates in Switzerland outside the Internet has little to fear, a company that also intends to promote its services on the Internet will have to be careful about the way it configures its site and conducts its marketing campaigns.

The application of the GDPR obviously has many consequences for the company, which will be the subject of developments in later posts.

Among these, we will mention here the obligation to appoint a representative within the European Union (art. 27 GDPR), ideally in one of the countries whose individuals are targeted, a point too often ignored or neglected for the sake of simplification. Needless to say, this point is not the most pleasant one, since it implies finding such a representative, who will only accept to play this role in return for payment. In the absence of such representative, the company will fail to fulfil one of the obligations of any data controller, i.e. to communicate the identity of its representative in accordance with its obligation of transparency (art. 13 and 14 GDPR). Some companies now offer this service at a mode