EU directive on data protection
Switzerland is neither a member of the EU nor of the EEA. Accordingly, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive) is not applicable in Switzerland. Please note that from 25 May 2018 Regulation EU 2016/679 – the so-called General Data Protection Regulation (GDPR) – will apply in the EU and replace the EU Directive (see news 6 May 2016). Despite Switzerland not being a member of the EU, Swiss undertakings might become subject to the GDPR (for example when offering goods or services in the EU or when processing personal data on behalf of an EU controller) (see news 18.12.2015).
The European Commission decided on 26 July 2000 in Commission Decision 2000/518/EC (Official Journal L 215/1 of 25.8.2000) that Swiss law provides adequate protection of personal data and therefore data transfers from Member States to Switzerland are, in principle, permitted under Art. 25(1) of the EU Directive, without limiting the effect of other laws of the European Union.
European Council (Convention 108)
Switzerland ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108) on 2 October 1997 and its Additional Protocol on 20 December 2007. The Convention entered into force for Switzerland on 1 February 1998 and its Additional Protocol on 1 April 2008. Please note that Convention No 108 currently is under revision. The Draft modernised the Convention for the Protection of Individuals with Regard to the Processing of Personal Data and was published in September 2016.