Cross-border transfer of personal data (original) (raw)

The cross-border transfer of personal data by private companies or federal bodies is only possible under certain conditions. It depends on the country to which the data is to be transferred, and certain precautions must be taken depending on the country.

In principle, personal data may only be transmitted abroad if the destination country has an appropriate level of data protection.

Appropriate level of protection guaranteed through legislation in the foreign state

Data may be disclosed abroad if the legislation of the destination country guarantees an appropriate level of protection (Art. 16 para. 1 FADP). The Federal Council decides which countries meet this requirement and publishes a list in the annex to the Ordinance to the Federal Act on Data Protection (Annex 1 DPO). The Ordinance also says what criteria the Federal Council uses in its assessment (Art. 8 DPO). If an appropriate level of protection is guaranteed, personal data can be freely transmitted from Switzerland to a country on the list, both by private companies and by federal bodies.

List of countries (Annex 1 DPO)

• DPO annex 1

Appropriate level of protection ensured through suitable guarantees

If a country has not been assessed as having an appropriate level of protection, cross-border disclosure may still be permitted if data protection can be guaranteed another way. In particular, contractual guarantees are used:

• Data protection clauses in a specific contract: The controller and their contracting partner contractually agree specific data protection clauses that guarantee an appropriate level of protection for the data transmitted. Before the data is disclosed abroad, the Federal Data Protection and Information Commissioner (FDPIC) must be notified of these clauses. Despite this notification, responsibility for providing evidence that all necessary measures to protect the data have been taken remains with the controller. As opposed to the standard data protection clauses, the data protection clauses in a contract only apply to the disclosure provided for in the relevant contract.
• Standard data protection clauses: Standard data protection clauses may be drawn up by individuals, interested parties or federal bodies. Such clauses must be approved by the FDPIC beforehand. No data may be disclosed abroad until the FDPIC has taken its decision on the clauses, unless the transfer can be based on other legal grounds. The FDPIC must take a decision within 90 days (DPO). However, standard data protection clauses may also be issued or recognised by the FDPIC itself. The list of clauses can be found in the Infocenter. Use of such clauses does not need to be reported to the FDPIC.

Federal bodies can also use this type of guarantee.

• Binding corporate rules: Data may also be disclosed to a company abroad that belongs to the same group as the controller based on binding corporate rules or BCRs. These BCRs must be approved by the FDPIC beforehand or by a foreign data protection authority in a country with an appropriate level of data protection. As soon as the FDPIC has taken a decision, data can be disclosed abroad based on binding corporate rules. If the BCRs have already been approved by a foreign data protection authority with an appropriate level of protection (e.g. an EU country), a separate decision from the FDPIC is no longer needed, and the rules can be applied straight away.

When using contractual guarantees, the following applies:

• The controller must ensure that the recipient complies with the agreed clauses and that the legislation of the third country allows the recipient to meet their obligations;
• There is a presumption that the controller has taken all the necessary steps to ensure adequate protection. However, this presumption does not release the controller from liability for any damage resulting from a breach of these clauses by the recipient in particular;
• As the data protection clauses are only binding on the contractual parties, it may be necessary in some cases to supplement them with technical measures if the law applicable to the recipient allows disproportionate access by the authorities. (s. Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP);

Federal bodies also have the option of attaching data protection guarantees as a condition when undertaking to cooperate with a foreign state, and transferring data to the country on that basis. Here, too, the federal body must notify the FDPIC beforehand.

As soon as the controller has fulfilled this obligation, the personal data can be disclosed abroad.

An appropriate level of data protection can also be guaranteed through an agreement under international law, e.g. Convention 108+.

Exceptions

If there are no arrangements in place to ensure an appropriate level of protection, and none of the instruments described above are used, cross-border disclosure of personal data may still be permitted under the exceptions listed in Article 17 FADP.

Duties to provide information

Data subjects must be informed if their data is to be disclosed abroad (Art. 19 para. 4 FADP).

Duty to provide information

The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected. Without information, the data subject is not necessarily aware that their personal data is being processed and cannot therefore exercise their rights under the FADP. The FADP therefore requires the data controller to inform the data subject that their data is being gathered, no matter the type of data concerned.

Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP)

This guidance is intended to make it easier for data owners to check the permissibility of data transfers of personal data abroad.

Based on a diagram, this guidance explains the case of data transfer abroad according to art. 16 para. 2 letters b and d FADP, if legislation is lacking there that ensures adequate protection* and this lack must be compensated by standard data protection clauses or binding corporate rules (BCR) (cf. also art. 9 para. 3 of the Ordinance to the Federal Act on Data Protection DPO, SR. 235.11). The requirements according to letters a, c and e are not addressed in this guidance.

* To check whether the country to which data are transferred offers adequate data protection, the list of countries serves as a guide (see list of countries in Annex 1 DPO, link above).

• Guide to checking the admissibility of direct or indirect data transfers to foreign countries (Art. 6 para. 2 letter a FADP)PDF506.31 kB1 June 2021

On 15 September 2024, the amendment to the list of countries in Appendix 1 of the DPO with regard to the USA came into force. The associated legal framework (Swiss-U.S. Data Privacy Framework)offers persons in Switzerland with complaints relating to potential violations of data protection laws in the USA various options for obtaining legal remedies. Below you will find the form for complaints procedures against certified US organisations /companies (commercial matters) and the form for complaints regarding the processing of personal data by the US intelligence services.

Model complaint form for the submission of complaints in connection with commercial aspects of the Swiss-USA Data Privacy Framework to the FDPIC

There are several options available to you for filing a complaint regarding a participat-ing organization's compliance with the DPF Principles:

Model Complaint Form to the US Office of the Director of National Intelligence's Civil Liberties Protection [Officer (ODNI CLPO)[1]

Redress procedures for individuals from Switzerland in connection withalleged violations of US law concerning data collected by the US authorities responsible for national security