- The applicability of the GDPR for cross-border order processing between Switzerland and the EU has not been conclusively clarified in legal terms.
- The author is of the opinion that the GDPR does not apply to Swiss companies as processors.
- In such constellations, only the company with a branch in the EU is subject to the GDPR.
David Vasella has published in digma 4/2017 [Swisslex] an essay on the scope of application of the GDPR at the Cross-border order processing written, i.e. on the question of whether the GDPR applies if and because a company with a branch in Switzerland is the controller of personal data (as defined in the GDPR) by a processor with an establishment in the EU or, conversely, processes personal data as a processor on behalf of a data controller established in the EU processed.
The essay takes a blog post published here and comes to the following conclusion:
It has not been conclusively clarified whether the GDPR is applicable to Swiss companies if and because they act as processors of a controller with an establishment in the EU or, conversely, have data processed by an EU processor. According to the opinion expressed here, this is not the case; in such constellations, only the company in the EU the GDPR.