Requirements for cross-border disclosure of personal data
The FADP provides that personal data may not be disclosed abroad if this would seriously endanger the personality of the data subjects. Therefore, controllers or processors may principally transfer or disclose personal data abroad if the legislation of the relevant state or international body guarantees an adequate level of protection. In particular, EU and EEA member states are considered to provide the required adequate level of data protection for data pertaining to individuals.
By contrast, if the state where the recipient is based does not have legislation that guarantees an adequate level of data protection, cross-border disclosure of personal data is not permissible without further ado. Whether the recipient state provides for an adequate level of data protection is decided by the Swiss Federal Council and is stated in Annex 1 of the FDPO.
Therefore, for recipients based in non-EU and EEA countries, it is necessary to check on a case-by-case basis whether they provide an adequate level of data protection by consulting the FDPO.
When personal data is disclosed to a country that is deemed unsafe from a data protection perspective and unless an exception applies, at least one of the following conditions must be fulfilled to compensate for the lack of protection:
- an international treaty;
- data protection provisions of a contract between the controller or the processor and its contracting partner, which were communicated beforehand to the FDPIC;
- specific safeguards prepared by the competent federal body and communicated beforehand to the FDPIC;
- standard data protection clauses previously approved, established or recognised by the FDPIC; and/or
- binding corporate rules on data protection which were previously approved by the FDPIC, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection.
For example, the standard contractual clauses (SCC) published by the EU Commission on 4 June 2021 were recognised by the FDPIC in its statement of 27 August 2021, provided that certain amendments are made to explicitly reference Swiss data protection law (the so-called “Swiss Finish”).