dataprotection.ch

 
Frequently Asked Questions

Data Transfers Abroad

Question:
May we freely and without restrictions transfer personal data from Switzerland to a foreign country or provide access to personal data to persons in a foreign country?

Answer:
No. If the legislation of the foreign country does not afford adequate protection for the personal data to be transferred or accessed, under Swiss data protection laws and regulations, transfer or access outside Switzerland is allowed only if certain specific requirements with respect to such disclosure abroad are met.

Question:
We intend to transfer personal data from Switzerland to Germany (or to provide access to personal data to persons in Germany). We assume that such transfer or access is possible without meeting any specific requirements under the Swiss data protection laws and regulations because the GDPR and the implementing German Data Protection Act provide for adequate protection of personal data. Is this assumption correct?

Answer:
It depends on whether the personal data transferred or accessed pertains to natural persons or legal entities. If the transfer or access only pertains to natural persons, a transfer from Switzerland to Germany or access in Germany is not subject to specific requirements under Swiss data protection laws and regulations. However, if the transfer or access includes personal data concerning legal entities, specific requirements under the Swiss data protection laws and regulations with respect to such transfer or access may need to be met unless certain exceptions apply. As a consequence, before any personal data pertaining to legal entities is transferred to and/or accessed from Germany, it must be verified if special measures must be taken in advance.

Question:
We intend to transfer personal data from Switzerland to the US (or to make personal data accessible to persons in the US). The company receiving the personal data in the US has certified its adherence to the Swiss-US Privacy Shield. Do we have to meet specific requirements, in particular notify the transfer or access to the Swiss Federal Data Protection and Information Commissioner before it takes place?

Answer:
According to the Swiss Federal Data Protection and Information Commissioner, importing US companies that have certified under the Swiss-US Privacy Shield no longer provide an adequate level of data protection. In consequence, a transfer of personal data to the US should be based on any of the exceptions set forth in Article 6 para. 2 of the Swiss Federal Data Protection Act (DPA). In line with the European Court of Justice’s Schrems II decision, the EU model clauses may not be sufficient. Data exporters are thus advised to carry out a risk assessment and, where necessary, adapt additional clauses or implement technical safeguards such as encryption. The Swiss Federal Data Protection and Information Commissioner must be informed of the safeguards in place before the first transfer takes place.