Data Transfers Abroad

Question:
May we freely and without restrictions transfer personal data from Switzerland to a foreign country or provide access to personal data to persons in a foreign country?

Answer:
No. If the legislation of the foreign country does not afford adequate protection for the personal data to be transferred or accessed, under Swiss data protection laws and regulations, transfer or access outside Switzerland is allowed only if certain specific requirements with respect to such disclosure abroad are met.

 

Question:
We intend to transfer personal data from Switzerland to Germany (or to provide access to personal data to persons in Germany). We assume that such transfer or access is possible without meeting any specific requirements under the Swiss data protection laws and regulations because Germany’s legislation provides for adequate protection of personal data. Is this assumption correct?

Answer:
It depends on whether the personal data transferred or accessed pertains to natural persons or legal entities. If the transfer or access only pertains to natural persons, a transfer from Switzerland to Germany or access in Germany is not subject to specific requirements under Swiss data protection laws and regulations. However, if the transfer or access includes personal data concerning legal entities, specific requirements under the Swiss data protection laws and regulations with respect to such transfer or access need to be met unless certain exceptions apply. Compliance with these requirements must be ensured before the transfer or access takes place.

 

Question:
We intend to transfer personal data from Switzerland to the US (or to make personal data accessible to persons in the US). The company receiving the personal data in the US has certified its adherence to the US-Swiss Safe Harbor Framework. Do we have to take any specific measures, in particular notify the transfer or access to the Swiss Federal Data Protection and Information Commissioner before it takes place?

Answer:
Yes. The Swiss Federal Data Protection and Information Commissioner does no longer recognise that the US- Swiss Safe Harbor Framework provides an adequate level of protection for personal data. Therefore, it is recommended to enter into a specific cross-border transfer agreement and inform the Swiss Federal Data Protection and Information Commissioner before the transfer is made or access to the data is provided (unless specific exceptions apply).  (See our news dated 7 October 2015 and 22 October 2015). Please note, however, that the Federal Council announced on 11 January 2017 the forthcoming adoption of the Swiss-US Privacy Shield – a framework for data transfers from Switzerland to the US. Please find our respective news entry from 12 January 2017.