The decision of the EU Court of Justice on data protection (see Schrems II) is also relevant for Swiss companies, since on the one hand the new assessment applies to relationships with companies in the EU, and on the other hand the new Swiss Data Protection Act (CH DPA) is based on the same standards.
Companies must deal with the CH DPA, as it will become mandatory as of January 2022.
In case of non-compliance, the consequences are not as severe as for companies in the EU. The maximum fine of CHF 250,000 is lower than under the EU GDPR, but it directly penalizes C-level individuals and is accompanied by an entry in the criminal record.
In the case of cloud services from US providers, there are insufficient measures to adequately protect the data, according to legal experts and some courts.
It is also recommended to take a closer look at the data transfers to the service providers and, if possible, to anonymize or minimize the data. Anonymization can lower the risk level, especially for sensitive data. There are also technical solutions, e.g. cloud access security brokers, to encrypt the data before it is transferred.
