+41 41 521 80 00 | info@lexcellence.swiss

Open jobs!

Setting up a company in Switzerland means Compliance with the Swiss Data Protection Act and the EU General Data Protection Regulation


The country's success is built on a foundation of well-educated employees, a stable, effective administration, a flexible labor market, and reasonable taxation. Switzerland also boasts one of the most efficient and transparent governments in the world. This structure makes Switzerland a desirable place either for national corporations or foreign businesses to establish themselves.


Before you start your company or expand to Switzerland, there are a few things you should think about. First and foremost, you must determine whether you have a viable company concept, and then, you must select the appropriate Swiss business legal structure for it.


Some conditions you must be aware of are: 

  • Whether there is any interest in adopting your products or services before you begin. Find out who your rivals are and whether your business can survive in the market
  • You may also check Switzerland’s commercial register to discover whether the future company name is available
  • Swiss firms are required by law to undergo a statutory audit. The law establishes benchmarks for corporations that must undergo regular audits or a restricted statutory inspection
  • Anyone who operates a Swiss business, whether as a sole trader, a limited company or as part of a partnership, is likely subject to corporate tax in Switzerland


Taking a business abroad is a significant step for many entrepreneurs. But, as with every achievement, there are new challenges to manage to attain even greater success.


In May 2018, the European General Data Protection Regulation (GDPR) entered into force. Even though it is European legislation, it does apply to Swiss companies in specific circumstances. The GDPR established a very broad territorial scope.


Furthermore, Switzerland will introduce in 2021 the adapted Swiss Data Protection Act (DPA) in line with GDPR: Requirements of GDPR – adapted for the Swiss Market – will also apply in Switzerland. 


The GDPR – and therefore also the future Swiss Data Protection Act - is one of the strictest data protection regulations in the world today, and it is a significant challenge for many corporations looking to set up a business in the EU, EEA, and the UK. 


The GDPR and the revised Swiss Data Protection Act aim to secure personal data and how businesses handle, store, and eventually destroy them when they are no longer needed. Individuals have discretion over how corporations utilize the information directly and personally connected to them under the law.


The GDPR applies to:

  • Organizations with a physical presence in at least some member country of the European Union
  • Organizations that process or store data concerning individuals residing in the European Union while offering goods or services to them or monitoring their behavior within the Union without having offices in the EU


Therefore, if you have main offices or subsidiaries in the European Union or work with an organization with employees or customers in the European Union, you are most likely subject to the GDPR – be it directly or indirectly due to your counterparts. Hence, you should consider the seven principles of the regulation. The same applies vice versa to the revised Swiss Data Protection Act. 


The GDPR was established based on seven principles that are stated in article 5 of the GDPR and are also part of the DPA. These principles should be at the core of your personal data processing strategy. The seven principles are as follows:


1. Lawfulness, Fairness, and Transparency

Data should indeed be treated properly, fairly, and transparently in respect to consumers. The proposed use of data must be disclosed clearly and effectively so that the data possessor is aware of how their information is being gathered and processed. This increases openness to data sharing, ensuring that no one is displeased or uninformed about handling their data.


In September this year, Ireland fined WhatsApp Ireland EUR 225,000,000 for not complying with the transparency obligations and other GDPR provisions. The decision is not yet final though.


2. Purpose Limitation

This principle implies that data cannot be retained or repurposed for purposes other than those disclosed to the data possessor at the time of collection. This relates to the first principle, which states that data processing must be made transparent. It prohibits companies from benefiting from data in the future by selling it or using it for incompatible purposes.


An example would be the case of the new paper’s app that sold its consumers' data to Facebook. 


3. Data Minimization

All individuals or businesses should determine the conditions of personal data required to accomplish their goal and no more. Before any data is acquired in any way from the data possessor, their retention, processing, and distribution must be limited and carefully examined.


If someone is applying for a job, of course, they will disclose their information to the company, and the company can only make use of it for hiring; otherwise, the company will be penalized.


The Spanish data privacy supervisory authority fined a company EUR 2,520,000 for installing surveillance cameras in their stores and did not limit the stored data to what was necessary for the purpose of the system.


4. Accuracy

Personal data must be accurate and, when necessary, kept updated and where necessary need to be rectified. Companies need to establish data lifecycle processes to comply with this provision.


5. Storage limitation

A necessary component of GDPR compliance is related to this principle. Data must be maintained in a format that allows people to be identified for no longer than is required for the purposes for which they are processed. If personal data are processed only to store in the public interest, scientific or historical research, or statistical reasons, they may be held for an extended length of time.


The Italian data privacy supervisory authority fined a company EUR 2’500’000 for not having appropriate storage periods implemented into their IT system and other non-compliances with the GDPR. The French data privacy supervisory authority fined a company EUR 1,750,000 for storing customer data for an excessive period of time without sufficient information and the legal basis.


6. Integrity and Confidentiality

Data processing should be done on a need-to-know basis, and only those who require access to the material will be granted access. This develops consumer trust while also preventing avoidable loss or data breaches.


Something as simple as sending an email with other people’s information can result in you unintentionally exposing your employee to a data breach resulting in a fine, according to the GDPR rules. The Spanish data privacy supervisory authority fined two companies just recently EUR 40,000 for sending accidentally bills to the wrong party and EUR 18,000 for sending not necessary MRI scans to an insurer.


7. Accountability

Finally, the controller must be responsible for, and able to demonstrate compliance with the GDPR principles. Anyone who handles data should be adequately taught and understand what GDPR compliance entails.


A case related to this principle was when Heathrow Airport received a fine of £120,000 for losing a USB stick containing unencrypted personal data. Additionally, the Danish data privacy supervisory authority fined a company EUR 496,000 for violating GDPR’s processing principle and especially was not able to provide sufficient evidence that would demonstrate its compliance with the applicable GDPR provisions.


After reading the basic principles of the GDPR, start assessing your data processing to take your business abroad without worries. Our team is happy to assess, identify and manage possible data privacy challenges for your business. We can provide tailored services to meet individual needs.