Data Protection

Maintaining data protection management systems/programs and software across all business functions is an interdisciplinary leadership task that will be at the forefront of all companies’ – including small firms’ – but also of the public sector’s priorities in the years ahead.

The data protection and privacy regulation landscape is expanding at a high pace on national as well as on trans- and international levels with considerable extraterritorial impact such as e.g. the EU’s General Data Protection Regulation (GDPR) or the upcoming ePrivacy Regulation (ePR) or international treaties.

Moreover, the laws of the country where the data is located e.g. under a cloud storage solution, may be applicable as well.

Also, data protection and security requirements issued by various authorities such as financial supervisory authorities or stock exchanges or regarding associated legislation (e.g. tele-/electronic communications or other providers of essential services such as trust service providers or payment service providers [PSD2 Directive] etc.) are to be considered.

Moreover, the ethical aspects are to be discussed as well. This includes the responsibility for fake news, including misinformation regarding medical or other e.g. legal or financial advice.

Data collection, interpretation and management – of huge amounts of data – will have to consider this global patchwork of regulation and still aim at reducing bureaucracy and operational excellence.

The liability risks resulting from and the impact of data breaches/loss and change of data and cyber attacks etc. on companies and organizations can be immense and extend beyond financial cost and fines (loss of business secrets/IP, negative impact on the brand, image, reputation, client/customer trust, share price, turnover, investigations and enforcement actions etc.).

And even known features such as privacy by design and default that are no new concepts gain further importance.

New technologies and new ways of working (co-working spaces and shared-desk working spaces, home office, e-learning etc.) have to be addressed in a proactive manner.

Show more
Show less

Services include (in close cooperation with IT experts):

  • Advice in aspects of data protection and privacy matters under Swiss law such as drafting of privacy statements including the evaluation of new requirements such as e.g. according to the EU’s General Data Protection Regulation (GDPR) or regarding upcoming legislation such as e.g. ePrivacy Regulation (ePR) from the perspective of a Switzerland-based company or organization.
  • Advice on preparing comments on new regulation from various perspectives.
  • Advice on data protection documentation (of the company’s digital assets and third-party relationships), technical and organizational legal and compliance duties and responsibilities of various functions including board oversight and senior management leadership and collaboration with data and IT security experts (opinions and audits/gap analyses considering the risk potential such as internal/external and intentional/unintentional threats etc.) considering standard Data Management System (DMS) and Data Processing System (DPS) methods as recommended by various organizations.
Show more
  • Employment agreements and job description for data protection officers as well as agreements with external data protection officers.
  • Contracts with representatives of data controllers or processors not established in the European Union (art. 27 GDPR).
  • Advice on data protection rules and regulations in codes of conduct and compliance including the impact of data protection principles on internal investigations (transparency).
  • Advice on corporate rules such as general data protection guidelines, rules and regulations including regarding the use of internet and email, BYOD, social media and home office as well as e-learning, cybersecurity policies and procedures etc.
  • Advice on all data protection rules and regulations relating to employment relationships (confidentiality obligations, communication with employee insurance services provider, recruiting, hiring procedures, background checks, video and other monitoring issues including authentication of access to premises or computer applications such as biometric compliance etc.) (see also practice area “Labor Law”).
  • Advice on the rights of the data subject.
  • Advice on customer protection issues/forms.
  • Advice on third party data breach risks mitigating measures.
  • Advice on data protection contract clauses and agreements (confidentiality, non-disclosure etc.) in corporate transactions and collaborations of all types (M&A, outsourcing, transfer of highly confidential data of all kind and employment relationships etc.) including regarding international data transmissions.
  • Advice on the design of incident response and notification/communication plans (cf. also practice area “Project and Crisis Management”) as well as complaint management systems.
  • Advice on communication with data protection and other authorities (such as financial supervisory authorities or stock exchanges etc. ) and in connection with all types of procedures including timely and effective disclosure and regular reporting obligations considering all applicable rules, industry recommendations issued and sector-specific obligations. Coordination with other potentially relevant restrictions (e.g. insider trading, internal accounting controls obligations etc.).
  • Advice on appropriate employee training programs.
  • Advice on document/data retention obligations.

Illustrative reference transactions, competencies and achievements include:

Always working closely together with many business functions including IT
  • Advised on the handling of patient data in connection with the sale of a dental practice.
  • Advised recruiting agency on data protection and privacy duties and responsibilities in connection with the recruiting process including multi-jurisdictional settings and drafting of ad hoc statements and policies, duties and responsibilities relating to background checks and candidate research activities considering the requirements of EU’s General Data Protection Regulation (GDPR) from the perspective of a Switzerland based company.
  • Advised employers as well as employees on various data protection and privacy duties and responsibilities regarding employment relationship aspects including the exchange of data between insurance companies and employers.
  • Advised on the electronic archiving of medical records of employees in an international context.
  • Advised on data protection (including on blocking statutes) and transfer questions and agreements as well as contract clauses in connection with large outsourcing contracts (contractual volume of several CHF 100 million, relating to telecommunications, security, environmental and energy services) in an international context (Switzerland, France, USA) including listed companies.
  • Advised dozens of cross-border eDiscovery projects including on all data protections aspects and blocking statutes.
  • Advised on 100+ due diligence activities, M&A agreements (incl. U.S. Privacy Shield) including on all data protection aspects including the transfer of highly confidential data such as patient data as well as the drawing up of various incident/leak response/contingency plans.
  • Represented a General Counsel of a listed industrial group in connection with the sale of a business unit for 6+ weeks (project organization and launch of an international auction including German and Chinese bidders and due diligence considering data protection including blocking statutes issues).
  • Advised private clients regarding rights and duties in connection with video monitoring.