Data Transfers Abroad
May we freely and without restrictions transfer personal data from Switzerland to a foreign country or provide access to personal data to persons in a foreign country?
No. If the legislation of the foreign country does not afford adequate protection for the personal data to be transferred or accessed, under Swiss data protection laws and regulations, personal data may be disclosed abroad only if appropriate protection is guaranteed, for instance by an international treaty, standard data protections clauses (SCC) previously approved, established or recognized by the FDPIC etc. (article 16 revFADP).
We intend to transfer personal data from Switzerland to Germany (or to provide access to personal data to persons in Germany). We assume that such transfer or access is possible without meeting any specific requirements under the Swiss data protection laws and regulations because the GDPR and the implementing German Data Protection Act provide for adequate protection of personal data. Is this assumption correct?
Transfer from Switzerland to Germany or access in Germany is not subject to specific requirements under Swiss data protection laws and regulations. The legislation of Germany (and other EEA countries) guarantees an adequate level of protection (see article 16 revised FADP).
We intend to transfer personal data from Switzerland to the US (or to make personal data accessible to persons in the US). Do we have to meet specific requirements, in particular notify the transfer or access to the Swiss Federal Data Protection and Information Commissioner before it takes place?
According to the Swiss Federal Data Protection and Information Commissioner, importing US companies do not provide an adequate level of data protection. In consequence, a transfer of personal data to the US should be based on any of the exceptions set forth in Article 16 para. 2 of the revised FADP.
Switzerland does not have to directly implement ECJ rulings on the GDPR. However, since the FADP provides for the same adequacy mechanism and Switzerland also participated in the data protection arrangement with the USA with its own Swiss-US Privacy Shield, the Schrems II ruling was also relevant for Switzerland. The FDPIC amended the comments on the USA in its list of countries by stating that the Swiss-US Privacy Shield no longer meets the requirements for adequate data protection within the meaning of the FADP.
The “new” standard contractual clauses (SCCs) published by the EU Commission on 4 June 2021 were also recognised by the FDPIC. However, the FDPIC pointed out which modifications and additions to the EU SCCs are necessary in order to take Swiss concerns into account. The FDPIC has published a detailed statement on this subject.
In line with the European Court of Justice’s Schrems II decision, the EU standard contractual clauses (SCC) may not be sufficient. Data exporters are thus advised to carry out a “transfer impact assessment” (TIA) before commencing a transfer to a recipient in an unsafe country and, where necessary, adapt additional clauses or implement technical safeguards such as encryption.