Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfer affects all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
According to Swiss data protection laws, personal data may only be transferred abroad freely (i.e., without additional safeguards) if the receiving jurisdiction provides an adequate level of data protection. A cross-border data transfer occurs when personal data is transferred from Switzerland to a country outside Switzerland or when personal data located in Switzerland is accessed from outside Switzerland.
Under Swiss law, both legal entities and individuals can have data which is considered personal under the DPA. This differs from the European General Data Protection, under which only individuals can have personal data. Generally, data transfers that are in compliance with the European General Data Protection are also in compliance with the Swiss Federal Act on Data Protection (DPA) in terms of an individual’s personal data. It’s likely that when the DPA is revised, it will no longer protect information relating to legal entities.
The Federal Data Protection and Information Commissioner (FDPIC) has published a (non-binding) list of countries that provide an adequate level of protection, as it relates to individuals. In the FDPIC’s (non-binding) view, the EU provides adequate data protection for personal data. Where the receiving jurisdiction does not provide an adequate level of protection, the cross-border data transfer is subject to additional safeguards, including meeting one of the following conditions:
- the existence of a transborder dataflow contract or other safeguard to ensure adequate data protection in a foreign country;
- binding corporate rules relating to data protection for international data transfers;
- the employee’s consent to the data transfer;
- when necessary to fulfill a contract with the individual;
- when necessary for overriding public interests or establishing/exercising/enforcing legal claims in court proceedings;
- when necessary to an individual’s life or physical integrity; or,
- the individual has made the personal data publicly available, and has not expressly prohibited the international data transfer.
When employers use binding corporate rules, transborder data flow contracts or other safeguards to manage the international transfer of employee data, the FDPIC must be informed in advance of the safeguards put in place.
The European Commission has decided that Swiss law provides adequate protection of personal data. For this reason, transfers of personal data from an EU Member State to Switzerland are, in principle, permitted.