Requirements for Transfers Abroad
The DPA prohibits a transfer of personal data abroad if it could seriously endanger the personality rights of the data subjects. Such a danger can exist if the personal data are transferred to a country whose legislation does not provide for an adequate protection of personal data.
The countries which have implemented Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive) are considered to provide the required adequate level of data protection for personal data of individuals, but the EU Directive, unlike the DPA, does not provide such protection for legal entities. Although some EU countries have implemented protection for legal entities in their national data protection laws, not all have done so and therefore the EU countries in general cannot be considered to provide an adequate level of data protection for the personal data of legal entities.
For non-EU countries, it is necessary to check on a case-by-case basis whether they provide an adequate level of data protection. For example, neither U.S. federal law nor the laws of any U.S. state are considered to provide an adequate level of data protection. However, as of 12 April 2017, the US-Swiss Privacy Shield entered into effect. This framework, which is similar yet separate from the US-EU Privacy Shield, replaces the US-Swiss Safe Harbor Framework and allows for US-based companies to self-certify. Any US-based company which has self-certified under the US-Swiss Privacy Shield is ipso facto deemed to offer an adequate level of data protection under Swiss law for the personal data covered by such certification. As a consequence, personal data covered by the certification can be transferred from Switzerland to such US-based company even if none of the exceptions set out below apply.
Unless the laws of a country to which the personal data is transferred provide for an adequate level of protection for the personal data to be transferred, the disclosure may only be made if one of the exceptions provided for in the DPA applies. These exceptions are:
- there are sufficient safeguards (for example contractual clauses in a transborder data transfer agreement) to ensure an adequate level of protection for data transferred outside Switzerland;
- the data subject has, in the specific case, consented to the transfer of the relevant data outside Switzerland;
- the data processing is directly connected with the conclusion or performance of a contract and the personal data relates to a contractual party;
- the transfer of data is necessary in the specific case, either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before courts;
- disclosure is required in a specific case in order to protect the life or the physical integrity of the data subject;
- the data subject has made the relevant data generally accessible and has not expressly prohibited processing of the data; or
- disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
With necessary amendments required in order to comply with Swiss law, the model agreement of the Council of Europe or the model contracts for the transfer of personal data to third countries of the European Commission may be used in order to provide sufficient safeguards as mentioned in paragraph (1) above.
In addition, in the case of the exceptions mentioned in paragraphs (1) and (7) above, the Federal Data Protection and Information Commissioner must be informed of the safeguards or rules used. The Federal Data Protection and Information Commissioner must be informed before the first transfer of data is made or, if this is not possible, immediately after the disclosure has occurred.
The intentional failure to inform the Federal Data and Information Commissioner of the safeguards or rules, in the case of the exceptions mentioned under (1) and (7) above, is punished by a fine of up to CHF 10’000. If the fine is not paid, it can be replaced by imprisonment for up to 3 months. The same applies if the information provided is intentionally inaccurate or incomplete.
A transfer of personal data back to Switzerland is not an issue under Swiss data protection law, but the processing of personal data in Switzerland must comply with the rules detailed above.