European General Data Protection Regulation GDPR

The European General Data Protection Regulation (GDPR) entered into force in May 2018. Although it is a European regulation, it also applies to Swiss companies under certain conditions.

European General Data Protection Regulation GDPR

To whom does the GDPR apply? 

The GDPR applies to any handling of personal data by Swiss companies, if the company

  • has a regional office in the EU, such as a branch office, agency, local representative office or subsidiary, provided the latter does not act independently but on behalf of the Swiss parent company, and processes personal data in connection with the regional office (example: a branch in France sells products or services for the head office in Switzerland and uses the name and address of end customers or the buyer’s contacts from France); 
  • is not established in the EU: if the company offers goods or services in the EU (example: a company in Switzerland actively distributes goods or services to Germany via a website or a Software as a Service (SaaS) provider in Switzerland has customers in the EU) or observes the behavior of persons in the EU (example: cookies are used on the company’s website in Switzerland by means of which one can draw conclusions about the behavior of the website visitors and this data is evaluated). 

What are the consequences of non-compliance? 

An infringement of the GDPR could have the following consequences: 

  • European authorities can impose fines of up to 20 million euro or – if higher – four percent of the guilty company’s worldwide annual turnover. 
  • Contracts often require compliance with applicable law in general or data protection law in particular. In such cases, an infringement can lead to contractual penalties, premature termination, claims for damages and the loss of rights. 

Detailed information on the GDPR and what Swiss companies need to do, including a checklist, can be found in our Information Sheet. 



Official program