Sign-up for our monthly newsletter!

Sign-up for the M&A Perspective Newsletter!

Sign-up for the Arbitration Case Alert Newsletter!

Blogs - The M&A Perspective

Data Protection Laws in Motion – Challenge for Compliance and Due Diligence

11.04.2017 – Data protection is currently at the center of attention. This not only leads to stricter enforcement of current legislation, but also to the adaptation of existing statutes around the globe. For instance, the EU General Data Protection Regulation enters into effect as of 25 May 2018, and the Revised Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data by the Council of Europe is ready to be ratified. In parallel, Switzerland is in the process of revising its Data Protection Act, which is expected to enter into force at the earliest between mid-2018 and early 2019. The flurry of new and partially amended legislation with sequential entries into force present two particular challenges for companies: First, companies will need to closely monitor future changes in applicable data protection legislation and based thereon timely implement coherent internal policies. This task can prove tricky as those legislations are often interdependent, e.g. through a requirement of equivalent or adequate level of data protection. Also, in order to avoid multiple repeated adaptations of their compliance structure, companies will not only want to translate imminent changes into their own compliance framework but also anticipated short-term and mid-term amendments.

Secondly, the transitional rules play a key role. New legislation seldom has pre-effects and non-compliance with applicable law will most often not be "healed" by subsequent changes in the law. This leads to the conclusion that a due diligence on data protection compliance should not only statically analyze a company's existing data at a given point in time. Rather, with respect to each set of data, the review needs to take into account its individual fourth dimension: time. In practice: When was the data collected, when was it processed and which rules were applicable at that particular time?