Privacy Shield – a brief overview

01.05.17 - Since 12 April 2017, US companies have been able to self-certify for the Swiss-US Privacy Shield. To do so, they must register on the Department of Commerce (DOC) website and meet the certification requirements.

Swiss companies should note the following:

  • Swiss companies can only benefit from the less stringent conditions when transferring data to US companies if the latter are certified for the Swiss-US Privacy Shield and thus recognise the FDPIC as the oversight body. Certification for the EU-US Privacy Shield does not suffice.

  • Before Swiss companies transfer personal data to US companies, they must ascertain whether the US companies are certified for the Swiss-US Privacy Shield. The DOC website has a filter to help companies search in the published list of certified companies (‘Advanced' button). If a particular US company is not registered, other measures must be taken to transfer personal data in accordance with data protection rules. These may include contractual guarantees or Binding Corporate Rules (cf. Art. 6 para. 2 of the Federal Data Protection Act, FDAP).

  • Public authorities cannot self-certify for the Swiss-US Privacy Shield.

  • Companies under private law can only self-certify if they are subject to the oversight of the Federal Trade Commission (FTC) and the Department of Transportation (DOT). Banks, insurance companies and telecommunication companies cannot usually self-certify. If data is to be transferred to US companies in these fields, contracts must first be concluded or other safeguards put in place (cf. Art. 6 Abs. 2 para. a FDAP).