- In principle, the GDPR does not apply to a Swiss controller solely because of an EU processor.
- Art. 3 GDPR follows the principle of establishment; exceptions are market orientation and behavioral monitoring in the EU.
- An EU branch of the processor does not automatically constitute a branch of the external controller.
- Special cases: Offer to EU market or behavioral observation trigger GDPR application; Switzerland may have different views.
One of the many questions that Swiss companies are currently facing or have already faced in connection with the GDPR is the following: Does the GDPR apply to the data processing of a Swiss controller who employs a data processor in the EU?
In my opinion, the answer to this is No:
- The system and purpose of Art. 3 GDPR speak against this. In principle, the principle of establishment or country of domicile applies (para. 1). Accordingly, a Swiss controller is not subject to the GDPR as long as it does not have an establishment in the EU. As Exception Paragraph 2 regulates two cases in which a foreign company is nevertheless subject to the GDPR by way of exception, namely market orientation (lit. a) and behavioral monitoring (lit. b). Outside of these exceptions, however, the GDPR does not apply to companies in Switzerland.
- This is also reflected in the fact that Art. 27(1) GDPR only mentions these two exceptions when it comes to the obligation of non-European processors to appoint an EU representative, and that Art. 40(3) GDPR mentions compliance with codes of conduct by foreign controllers and principals, which are not covered by the GDPR according to Art. 3 (and the same applies to Art. 42(3)).
- It should also be clear that the establishment of the order processor No branch of the responsible is. An establishment in the EU is only an establishment of a non-European controller if it is connected to it in a qualified manner. This is clearly reflected in recital 22: “The legal form of such an entity, whether it is a branch or a subsidiary with its own legal personality, shall not be decisive”. In principle, therefore, a connection under company law is required, but according to the ruling of the ECJ i.S. Google Spain an agency, for example, would also suffice. However, mere commissioned processing is not sufficient (cf. Article 29 Working Party, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, S. 5; at changes Google Spain nothing: Google Spain was a subsidiary and thus a branch of Google, Inc. [para. 49]; the only dispute was whether the operation of the search engine by Google, Inc. was attributable to the Spanish branch, i.e. whether it took place “within the scope of this branch”; para. 52 et seq.). As a result, the establishment principle cannot lead to subjecting the non-European controller to the GDPR.
- It should also be taken into account that the GDPR also applies to the EU-based Processor subject to the GDPR. The present guideline does not do this; in principle, it presupposes an establishment of the responsible (Art. 4(1)(a)). With the subordination of the processor, there is no longer any reason to subject a CH controller to the GDPR in order to avoid a protection gap (because the protection is already ensured by the application to the local processor, the GDPR can also dispense with the criterion of the use of local “means” under Art. 4(1)(c) of the RiLi). Thus, with the goal of not depriving persons in the EU of the protection of European law, one can no longer justify the application of the GDPR to the non-European controller. If one nevertheless wanted to subject the foreign controller with an EU processor to the GDPR, one would have to consequently any processing of data of persons in the EU to be subject to the GDPR. However, this is precisely what the legislator deliberately refrained from doing.
As a result, a Swiss controller does not have to comply with the GDPR for a particular processing activity simply because it employs a processor in the EU; or formulated differently: The transfer of personal data to the EU processor no longer “infects” the processing of such personal data. This is also the view of, for example Karg (in the Cooling/Buchner, currently the most comprehensive commentary on the GDPR, Art. 3 N 38). In Switzerland, however, other views are also held (e.g. here, here, here and here).
There are two caveats to keep in mind:
- If the data controller simultaneously directs its offer to the EU market (as defined in Art. 3(2)(a)) or monitors the behavior of persons in the EU (as defined in Art. 3(2)(b)), the following applies this The facts of the case preclude the application of the GDPR.
- According to Art. 139 IPRG, persons in the EU can generally invoke their home country law before Swiss courts.
Admittedly, not being subject to the GDPR does not change the fact that the EU processor must at least de facto will insist on reaching an agreement with the person in charge Contract according to Art. 28 para. 3 DSGVO to close. However, the requirements of this provision primarily affect the processor. Art. 28 GDPR is therefore primarily relevant in the reverse case, as an EU controller uses a processor in Switzerland. However, the conclusion of an agreement pursuant to Art. 28(3) only leads to the contractual Binding to certain obligations of the GDPR, not to the application of the GDPR itself, which is of course relevant in case of a breach (contractual consequences vs. risk of fines), but also with regard to further obligations such as those to appoint an EU representative or data protection officer.
An open question is whether the EU controller, when transferring data (back) to the non-European controller in such a constellation, can Art. 44 ff. GDPR regarding transfers to third countries (or vice versa the EU controller to the Swiss processor). The wording of Art. 44 GDPR suggests this. However, it would contradict the legislative decision to subject the controller in such constellations to the GDPR. The question is open, but hardly plays a role in the relationship with Switzerland, as the EU Commission considers Switzerland to have adequate data protection.