Legal Framework


EU directive on data protection

Switzerland is neither a member of the EU nor of the EEA. Accordingly, the EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR) is not directly applicable in Switzerland. Despite Switzerland not being a member of the EU and the EEA, Swiss undertakings may be subject to the GDPR (for example where the processing activities related to the offering of goods or services to individuals in the EU or EEA or the monitoring of individual’s behaviour in the EU or EEA) (see news 18.12.2015).

The European Commission decided on 26 July 2000 in Commission Decision 2000/518/EC (Official Journal L 215/1 of 25.8.2000) that Swiss law provides adequate protection of personal data and therefore data transfers from Member States to Switzerland are, in principle, permitted under Article 45 GDPR. The adequacy decision is currently being reviewed by the EU Commission.

European Council (Convention No 108)

Switzerland ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108) on 2 October 1997 and its Additional Protocol on 20 December 2007. The Convention entered into force for Switzerland on 1 February 1998 and its Additional Protocol on 1 April 2008. Please note that Convention No 108 is currently under revision. The modernised Convention No 108 was adopted by the Committee of Ministers on 18 May 2018 and the final text is available here. This text (technically the Protocol amending Convention No 108) opened for signature on 25 June 2018. At its meeting of 6 December 2019, the Swiss Federal Council ratified the Protocol.