Data Transfers Abroad
May we freely and without restrictions transfer personal data from Switzerland to a foreign country or provide access to personal data to persons in a foreign country?
No. If the legislation of the foreign country does not afford adequate protection for the personal data to be transferred or accessed, under Swiss data protection laws and regulations, transfer or access outside Switzerland is allowed only if certain specific requirements with respect to such disclosure abroad are met.
We intend to transfer personal data from Switzerland to Germany (or to provide access to personal data to persons in Germany). We assume that such transfer or access is possible without meeting any specific requirements under the Swiss data protection laws and regulations because the GDPR and the implementing German Data Protection Act provides for adequate protection of personal data. Is this assumption correct?
It depends on whether the personal data transferred or accessed pertains to natural persons or legal entities. If the transfer or access only pertains to natural persons, a transfer from Switzerland to Germany or access in Germany is not subject to specific requirements under Swiss data protection laws and regulations. However, if the transfer or access includes personal data concerning legal entities, specific requirements under the Swiss data protection laws and regulations with respect to such transfer or access may need to be met unless certain exceptions apply. As a consequence, before any personal data pertaining to legal entities is transferred to and/or accessed from Germany, it must be verified if special measures must be taken in advance.
We intend to transfer personal data from Switzerland to the US (or to make personal data accessible to persons in the US). The company receiving the personal data in the US has certified its adherence to the Swiss-US Privacy Shield. Do we have to meet specific requirements, in particular notify the transfer or access to the Swiss Federal Data Protection and Information Commissioner before it takes place?
If the Swiss-US Privacy Shield certification of the company receiving the personal data in the US covers the personal data that will be transferred, such transfer is possible even if none of the exceptions set forth in Article 6 para. 2 of the Swiss Federal Data Protection Act (DPA) apply. In particular, it is not necessary to enter into a specific cross-border data transfer agreement and to notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) thereof before the first transfer takes place.
Please note that if the US-based recipient is only certified under the EU-US Privacy Shield or if the Swiss-US Privacy Shield does not cover the personal data being transferred, this is not sufficient and unless any other exception set forth under Article 6 para. 2 DPA applies, additional safeguards must be implemented and the Swiss Federal Data Protection and Information Commissioner must be informed thereof before the first transfer takes place.