GDPR and the revised Swiss Data Protection Act: the impact on sports organisations and businesses in Switzerland
There is no doubt that the world of sport has benefitted from advances in technology, data output and data analytics. Whether as an athlete, a fan, a rights holder, a sponsor, investor or brand, embracing the value of data can be an overwhelmingly positive pursuit, whether that concerns maximising commercial revenues, utilising high performance biometric data or developing targeted marketing campaigns. However, the use of technology and data to more actively engage in one’s sport isn’t without risks. In this article, we focus on one such risk area – compliance and the responsibilities of the data controller under the incoming General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (revised) (DPA). We’ll also look at some of the practical solutions that organisations and businesses (as data controllers) can adopt to stay ahead of the game.
The GDPR and the DPA
The GDPR will come into force on 25 May 2018. This new EU data protection regime will introduce new obligations on sport organisations and businesses as data controllers when processing the personal data of data subjects (such as athletes, members and fans). Furthermore, in the context of sports organisations based in Switzerland, the GDPR will have extra-territorial applicability to the extent that if such an organisation wishes to process the data of a data subject in the EU, they will have to play by the EU rules. This is entirely intended and in almost all cases where there is an EU nexus, sports organisations and businesses will need to consider and review their procedures in order to comply with the GDPR.
Swiss organisations will also need to comply with the DPA, which is being amended at the end of 2018 or in early 2019. Broadly speaking, the DPA has been introduced to complement the GDPR and a draft of the DPA was published by the Federal Council on 15 September 2017. Whilst the principles underpinning the two regimes are broadly similar there will be an important interplay between them, not least on the topic of enforcement (please see below).
What is personal data and why is a sports organisation (such as a sports federation) a data controller?
The GDPR defines personal data as any information relating to an identified or identifiable natural person (the “data subject”). A data controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of “processing” this includes, collecting, recording, organising, storing, retrieving, consulting, using, erasing or destroying the personal data. As such, sports federations will be in almost all instances data controllers in relation to the information they gather, store and use about all persons linked to their sport (the data subjects) which includes not only the athletes, but also fans and any other connected persons of whom data is processed.
Obligations of data controllers
So what are some of the main obligations on data controllers? Here are some key examples:
- providing data subjects with information (privacy notices) about their personal data being processed, the reasons for such processing and the details of any recipients of that data (any requests from data subjects should be reasonable and governing bodies need only provide the personal data information that they possess concerning the data subject in question, nothing more);
- keeping an up-to-date record of all processing activities for which they are responsible;
- ensure data is processed securely and have appropriate systems in place that meet the standards imposed by the GDPR and the DPA;
- ensure that any data processing which is delegated to a processor (for example, a law firm) is subject to a contract that satisfies GDPR/DPA requirements;
- notify personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) (the relevant Swiss supervisory authority) without undue delay;
- where a data subject has asked for data to be rectified or erased, notify those persons with whom personal data has previously been shared;
- implement policies to ensure data processing is performed in accordance with the GDPR and the DPA;
- tell data subjects about personal data breaches if it is likely to result in a high risk to their rights and freedoms; and
- where personal data is transferred to a country outside the EEA or to an international organisation, ensure that the European Commission has confirmed that the recipient country has adequate level of protection or, if there is no confirmation, provide appropriate safeguards (such as the encryption of data).
The GDPR establishes a two-tiered system of penalties. Some infringements (for example for violations relating to internal record keeping) are subject to fines of up to EUR 10 million or 2% of global revenue. Others (such as breaches of the data protection principles) are subject to higher fines of up to EUR 20 million or 4% of global revenue.
Under the DPA the maximum financial penalty is substantially lower than the GDPR at CHF 250,000.
The responsibility for enforcing breaches of the GDPR against Swiss based organisations will rest with the relevant supervisory authorities in each EU member state, not FDPIC. Practitioners will be watching this aspect closely and it may be that co-operation agreements (between Switzerland and the EU) will be required before EU supervisory authorities will have meaningful powers of enforcement. That being said, Swiss based organisations and businesses will be obliged (in certain circumstances) to designate a representative in the EU and as such it will likely be the case that supervisory authorities will serve the representative with orders against the Swiss organisation.
Preparing for the GDPR and the DPA
There are many steps that organisations should have already taken to prepare for the GDPR and unless they are prepared, it is unlikely that their current arrangements are GDPR-compliant. The full requirements of the DPA will become clearer when the regulatory guidance and the DPA is finalised but as a very general rule, organisations that can demonstrate compliance with the GDPR, will be well on their way to demonstrating compliance under the DPA.
Over the last year, sporting organisations will have been reviewing their current arrangements and the data they hold, and establishing new processes.
Some of the main action points organisations should be considering to ensure compliance include:
- carry out a data audit to establish, how and why data is held by the organisation and to determine what the lawful purpose of holding that data is – for example:
- where and how long it has been held for;
- reasons for the decision to keep the data for a specific time;
- who it relates to;
- why it is being processed; and
- how it is kept secure.
- update existing data protection policies to make them GDPR compliant. If no data protection policy exists, organisations should create one to satisfy their accountability obligations. The data protection policy should refer to:
- the timescale for complying with data subjects information requests;
- how personal data is processed and stored; and
- the procedures and policies they have in place to comply with the GDPR.
- decide who within the organisation will deal with GDPR compliance; for example, nominate an employee as the main point of contact for requests for information;
- carry out training for employees: in particular, all individuals involved in processing should be able to identify when there has been a personal data breach and be aware how this should be dealt with;
- consider if consent is required and, whether consent is/has been obtained from the data subjects correctly. If it has not been collected correctly, refresh the consent or consider whether another legal basis for processing that personal data is applicable under Article 6 GDPR;
- put systems in place to ensure that a data access request/ exercise of a right of erasure can be complied with quickly;
- put systems in place to deal with data protection breaches (for example; to identify, record, and (if required) report, a data breach);
- consider whether any sensitive data is processed within the organisation and whether appropriate systems are in place to safeguard them;
- ensure that personal data is held safely securely; for example, electronic documents are encrypted and password protected and backed up on a regular basis;
- consider who the data is shared with (for example; third party service providers or advisers);
- regularly assess progress (for example, by including GDPR compliance as a fixed item on the agenda at meetings);
- consider how long the data should be kept for. The GDPR requires the data to be kept "no longer than is necessary for the purposes for which the personal data are processed ….”; and
- review insurance policies to see if they can be extended to cover liability for fines and compensation under the GDPR.
An international federation (based in Lausanne, Switzerland) launches a new international tournament. As part of this the federation grants a right for one of the tournament’s major UK/Swiss based sponsors to run a targeted promotion for adults over the age of 18 in the UK and Switzerland for one of its product lines. Ticket holders for the matches in the UK and Switzerland (who have provided their details (name, address, date of birth) to the federation in the first instance at the point of purchase) are offered the chance to enter a sponsor-backed competition to meet certain players after the UK and Swiss matches in return for buying the said product.
In the example above, some factors to consider would be as follows:
- The communication of the promotion to the ticket holders (by using their email addresses and selecting those within the age category) (a) in the UK, will fall within the GDPR and (b) in Switzerland, will fall under Swiss data protection law/the DPA. In addition, the federation and the Swiss based sponsor will need to comply with the DPA in relation to any data processing for which they may be subject.
- In the context of the GDPR, personal data must be processed fairly and lawfully and so the UK ticket holders would need to have provided consent to the federation to share their data with the sponsor. Similar consent requirements will be required under the DPA.
- Depending on the exact nature of the relationship between the federation and the sponsor, a contract governing the transfer of the personal data should be included in the sponsorship agreement.
If you are uncertain how the GDPR and the DPA affect you and how you can ensure compliance now and in the future, we suggest contacting us to discuss bespoke solutions for your organisation which will be largely determined by your size, expertise and the location of your data subjects. Indeed, Charles Russell Speechlys SA is uniquely placed to provide integrated Swiss and EU legal advice to organisations on the effects of the GDPR and the DPA.
Charity Training: Digital Transformation in the Charity Sector (Session 2)
We would be delighted if you could join us for the second session in our new series of bite-size webinars for charities.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
eprivateclient and Citywealth report on the hire of a new international tax team led by Robert Reymond
The firm strengthened its international wealth structuring capabilities with the hire of an international tax team led by Robert Reymond.
Charity Training Webinar Series: Brand Protection (Session 1)
We would be delighted if you could join us for the first in our new series of bite-size webinars for charities.
The Lugano convention – the journey continues
The UK’s departure from the European Union has had the effect of leaving the UK outside of the Lugano Convention of 2007.
Asian Legal Business, Hubbis and eprivateclient report on the firm's expansion in Hong Kong
The firm's Hong Kong office continues to expand with the relocation of Real Estate Partner Simon Green to lead the firm’s focus in Asia.
Charles Russell Speechlys advises Fudco Partnership on sale to Exponent-backed Vibrant Foods
Fudco is a family-owned business selling South Asian ethnic foods in UK and Europe.
Electrical safety standards in the private rented sector from 1 April 2021
The Electrical Safety Standards in the Private Rented Sector will apply to existing specified tenancies from 1 April 2021.
UK property market continues to thrive
Property Patter: cohabitees and property rights - what do couples need to think about?
It is easy to drift into complicated territory when it comes to property arrangements between a couple
Charles Russell Speechlys LLP continues Hong Kong growth with the relocation of Real Estate Partner
We are delighted to continue the growth of our Hong Kong offering with the relocation of Simon Green to lead the firm’s focus in Asia.
Hugh Gunson and Guy Bud write for Taxation on Financial institution notices
Amendments will be made to allow HMRC to request information for the purposes of collecting a taxpayer’s tax debt.
Darren Bailey quoted extensively on the legalities of the European Super League proposals
Darren considers the legal questions that exist around the introduction of a European Super League.
Hayley Lalsing and Laura Sheftel write for Property Law Journal on the Electrical Safety Standards in the private rented sector
The Electrical Safety Standards in the Private Rented Sector Regulations 2020 will apply to existing specified tenancies from 1 April 2021.
Darren Bailey quoted by the Financial Times on the regulation of the sports betting industry
As the UK moves to a more regulated model, the US is throwing open the doors on the regulation of the sports betting industry.
COVID-19 Certification: Why do the Sport and Retail sectors disagree?
EWS1 Forms - the latest episode
RICS have now published their highly anticipated guidance on when EWS1 forms will be required.
Knight Frank Wealth Report: The Global Perspective on Prime Property & Investment
Knight Frank partners joined Charles Russell Speechlys for a virtual panel-led discussion on the Knight Frank Wealth Report
Mind the gap? Enforcing transition-period UK judgments in Switzerland revisited
A decision on an application to apply the Lugano Convention after the end of the UK’s transition period.