Analytics made for Switzerland

by Katrin Nebermann

What do Swiss website operators need to bear in mind for data protection-compliant web analytics?

Swiss companies usually have to comply with both the Swiss Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR). Why the GDPR too? In accordance with the so-called marketplace principle (Art. 3 para. 2 lit. a GDPR), the GDPR applies as soon as the offer is directed at persons in the EU or the EEA (even to persons in Liechtenstein). In its Guidelines 3/2018, the European Data Protection Board set out the following criteria, among others:

• Shipment of goods to persons in the EEA (EU, Iceland, Liechtenstein or Norway)
• Display of prices in EURO or acceptance for payment
• Use of top level domains (TLDs) with reference to at least one member state (such as .at, .de or .li)
• tourist offers with an international character or for international customers

This is likely to apply to many Swiss websites. In addition, the Swiss Data Protection Act was adapted to the GDPR in order to be recognized as equivalent.

In contrast to Google Analytics, etracker analytics does not require consent under the Swiss Data Protection Act, even with cookies, as etracker Analytics does not generate any personal profiles by default, according to the Federal Data Protection and Information Commissioner (FDPIC):

“A transparent privacy policy alone is not sufficient if tracking is used to obtain particularly sensitive personal data or personality profiles. In this case, the user must be expressly asked in advance when visiting the website whether they agree to the tracking.”

However, cookie-less tracking with cookie activation after consent is also recommended in Switzerland, as the provisions of the e-Privacy Directive 2002/58/EC of the European Parliament and of the Council (Cookie Directive) usually also apply due to the market location principle.