Requirements for Transfers Abroad
The DPA prohibits a transfer of personal data abroad if it could seriously endanger the personality rights of the data subjects. Such a danger can exist if the personal data are transferred to a country whose legislation does not provide for an adequate protection of personal data.
EU and EEA member states are considered to provide the required adequate level of data protection for data pertaining to individuals. As the EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), does not provide such protection for data pertaining to legal entities, EU and EEA members States are not necessarily considered to provide an adequate level of data protection for the data pertaining to legal entities.
For non-EU and EEA countries, it is necessary to check on a case-by-case basis whether they provide an adequate level of data protection. For example, neither U.S. federal law nor the laws of any U.S. state are considered to provide an adequate level of data protection. However, as of 12 April 2017, the Swiss-US Privacy Shield entered into effect. This framework, which is similar yet separate from the EU-US Privacy Shield, replaces the Swiss-US Safe Harbor Framework and allows for US-based companies to self-certify. Any US-based company which has self-certified under the US-Swiss Privacy Shield is ipso facto deemed to offer an adequate level of data protection under Swiss law for the personal data covered by such certification. As a consequence, personal data covered by the certification can be transferred from Switzerland to such US-based company even if none of the exceptions set out below apply.
Unless the laws of a country to which the personal data is transferred provide for an adequate level of protection for the personal data to be transferred, the disclosure may only be made if one of the exceptions provided for in the DPA applies. These exceptions are:
- there are sufficient safeguards (for example contractual clauses in a transborder data transfer agreement) to ensure an adequate level of protection for data transferred outside Switzerland;
- the data subject has, in the specific case, consented to the transfer of the relevant data outside Switzerland;
- the data processing is directly connected with the conclusion or performance of a contract and the personal data relates to a contractual party;
- the transfer of data is necessary in the specific case, either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before courts;
- disclosure is required in a specific case in order to protect the life or the physical integrity of the data subject;
- the data subject has made the relevant data generally accessible and has not expressly prohibited processing of the data; or
- disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
With necessary amendments required in order to comply with Swiss law, the model agreement of the Council of Europe or the model contracts for the transfer of personal data to third countries of the European Commission may be used in order to provide sufficient safeguards as mentioned in paragraph (1) above.
In addition, in the case of the exceptions mentioned in paragraphs (1) and (7) above, the Federal Data Protection and Information Commissioner must be informed of the safeguards or rules used. The Federal Data Protection and Information Commissioner must be informed before the first transfer of data is made or, if this is not possible, immediately after the disclosure has occurred.
The intentional failure to inform the Federal Data and Information Commissioner of the safeguards or rules, in the case of the exceptions mentioned under (1) and (7) above, is punished by a fine of up to CHF 10’000. If the fine is not paid, it can be replaced by imprisonment for up to 3 months. The same applies if the information provided is intentionally inaccurate or incomplete.
A transfer of personal data back to Switzerland is not an issue under Swiss data protection law, but the processing of personal data in Switzerland must comply with the rules detailed above.