What do Swiss website operators have to bear in mind when it comes to data protection-compliant web analytics?
Swiss companies usually have to comply with both: the Swiss Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR). Why also the GDPR? According to the so-called place of market principle (Art. 3 para. 2 lit. a GDPR), the GDPR applies as soon as the offer is directed at persons in the EU or EEA (persons in Liechtenstein alone). In its Guidelines 3/2018, the European Data Protection Board has named the following criteria, among others:
- Dispatch of goods to persons in the EEA (EU, Iceland, Liechtenstein or Norway).
- Display of prices in EURO respectively acceptance for payment.
- Use of Top Level Domains (TLDs) with reference to at least one member state (such as .at, .de or .li).
- Tourist offers with an international character or for an international audience.
This is likely to apply to a large number of Swiss website offerings. In addition, the Swiss data protection law was adapted to the GDPR in order to be recognised as equivalent.
In contrast to Google Analytics, etracker Analytics does not require consent, even with cookies, according to the Swiss Data Protection Act, as no personality profiles are generated by default with etracker Analytics, according to the Federal Data Protection and Information Commissioner (FDPIC):
“A transparent data protection statement alone is not sufficient if the tracking provides particularly sensitive personal data or personality profiles. In this case, the user must be explicitly asked in advance when visiting the website whether he or she agrees to the tracking.”
(Translated by the author)
However, cookie-less tracking with cookie activation after consent is also recommended in Switzerland, as the regulations of the e-Privacy Directive 2002/58/EC of the European Parliament and of the Council (Cookie Directive) usually also apply due to the market place principle.