Cross-border data transfer affects all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
According to Swiss data protection laws, personal data may only be transferred abroad freely (i.e., without additional safeguards) if the receiving jurisdiction provides an adequate level of data protection. A cross-border data transfer occurs when personal data is transferred from Switzerland to a country outside Switzerland or when personal data located in Switzerland is accessed from outside Switzerland.
Under Swiss law, both legal entities and individuals can have data which is considered personal under the DPA. This differs from the European General Data Protection Regulation (GDPR), under which only individuals can have personal data. Generally, data transfers that are in compliance with the GDPR are also in compliance with the Swiss Federal Act on Data Protection (DPA) in terms of an individual’s personal data. When the updated DPA goes into effect on September 1, 2023, information relating to legal entities will no longer be protected.
The Federal Data Protection and Information Commissioner (FDPIC) has published a (non-binding) list of countries that provide an adequate level of protection, as it relates to individuals. In the FDPIC’s (non-binding) view, the EU provides adequate data protection for personal data. Where the receiving jurisdiction does not provide an adequate level of protection, the cross-border data transfer is subject to additional safeguards, particularly contractual clauses that ensure an adequate level of data protection abroad, or the individual’s consent to the specific circumstances. The FDPIC must be informed of safeguards undertaken relating to cross-border data disclosures. Note that while there is currently no obligation to obtain approval from the FDPIC, under the revised DPA, a formal approval from the FDPIC will likely be necessary.
The European Commission has decided that Swiss law provides adequate protection of personal data. For this reason, transfers of personal data from an EU Member State to Switzerland are, in principle, permitted.
