cross-border transfer of personal data

Cross-border transfer of personal data 

The cross-border transfer of personal data by private companies or federal bodies is only possible under certain conditions. It depends on the country to which the data is to be transferred, and certain precautions must be taken depending on the country.

Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP)

This guidance is intended to make it easier for data owners to check the permissibility of data transfers of personal data abroad.

Based on a diagram, this guidance explains the case of data transfer abroad according to art. 16 para. 2 letters b and d FADP, if legislation is lacking there that ensures adequate protection* and this lack must be compensated by standard data protection clauses or binding corporate rules (BCR) (cf. also art. 9 para. 3 of the Ordinance to the Federal Act on Data Protection DPO, SR. 235.11). The requirements according to letters a, c and e are not addressed in this guidance.

Guide to checking the admissibility of direct or indirect data transfers to foreign countries (Art. 6 para. 2 letter a FADP) (PDF, 494 kB, 10.05.2023)

* To check whether the country to which data are transferred offers adequate data protection, the list of countries serves as a guide (see annex 1 DPO).

In principle, personal data may only be transmitted abroad if the destination country has an appropriate level of data protection. 

Appropriate level of protection guaranteed through legislation in the foreign state

Data may be disclosed abroad if the legislation of the destination country guarantees an appropriate level of protection (Art. 16 para. 1 FADP). The Federal Council decides which countries meet this requirement and publishes a list in the annex to the Ordinance to the Federal Act on Data Protection (Annex 1 DPO). The Ordinance also says what criteria the Federal Council uses in its assessment (Art. 8 DPO). If an appropriate level of protection is guaranteed, personal data can be freely transmitted from Switzerland to a country on the list, both by private companies and by federal bodies. 

Appropriate level of protection ensured through suitable guarantees

If a country has not been assessed as having an appropriate level of protection, cross-border disclosure may still be permitted if data protection can be guaranteed another way. In particular, contractual guarantees are used:

  • Data protection clauses in a specific contract: The controller and their contracting partner contractually agree specific data protection clauses that guarantee an appropriate level of protection for the data transmitted. Before the data is disclosed abroad, the Federal Data Protection and Information Commissioner (FDPIC) must be notified of these clauses. Despite this notification, responsibility for providing evidence that all necessary measures to protect the data have been taken remains with the controller. As opposed to the standard data protection clauses, the data protection clauses in a contract only apply to the disclosure provided for in the relevant contract.
  • Standard data protection clauses: Standard data protection clauses may be drawn up by individuals, interested parties or federal bodies. Such clauses must be approved by the FDPIC beforehand. No data may be disclosed abroad until the FDPIC has taken its decision on the clauses, unless the transfer can be based on other legal grounds. The FDPIC must take a decision within 90 days (DPO). However, standard data protection clauses may also be issued or recognised by the FDPIC itself. The list of clauses can be found in the Infocenter. Use of such clauses does not need to be reported to the FDPIC. 

Federal bodies can also use this type of guarantee.

  • Binding corporate rules: Data may also be disclosed to a company abroad that belongs to the same group as the controller based on binding corporate rules or BCRs. These BCRs must be approved by the FDPIC beforehand or by a foreign data protection authority in a country with an appropriate level of data protection. As soon as the FDPIC has taken a decision, data can be disclosed abroad based on binding corporate rules. If the BCRs have already been approved by a foreign data protection authority with an appropriate level of protection (e.g. an EU country), a separate decision from the FDPIC is no longer needed, and the rules can be applied straight away. 

When using contractual guarantees, the following applies:

  • The controller must ensure that the recipient complies with the agreed clauses and that the legislation of the third country allows the recipient to meet their obligations;
  • There is a presumption that the controller has taken all the necessary steps to ensure adequate protection. However, this presumption does not release the controller from liability for any damage resulting from a breach of these clauses by the recipient in particular;
  • As the data protection clauses are only binding on the contractual parties, it may be necessary in some cases to supplement them with technical measures if the law applicable to the recipient allows disproportionate access by the authorities. (s. Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP);

Federal bodies also have the option of attaching data protection guarantees as a condition when undertaking to cooperate with a foreign state, and transferring data to the country on that basis. Here, too, the federal body must notify the FDPIC beforehand.

As soon as the controller has fulfilled this obligation, the personal data can be disclosed abroad.

An appropriate level of data protection can also be guaranteed through an agreement under international law, e.g. Convention 108+ (see section International);

Exceptions

If there are no arrangements in place to ensure an appropriate level of protection, and none of the instruments described above are used, cross-border disclosure of personal data may still be permitted under the exceptions listed in Article 17 FADP.

Duties to provide information

Data subjects must be informed if their data is to be disclosed abroad (Art. 19 para. 4 FADP). more information

Criminal liability

If data is disclosed abroad and the conditions set out in Articles 16 and 17 FADP are not met, this may have consequences under criminal law (Art. 61 let. a FADP).

Inventory

In accordance with Article 12 FADP, the inventory of processing activities must contain information on the countries involved and the guarantees.


Privacy statements on the internet

Who needs a privacy statement and what should it contain?

International cooperation

Effective data protection must transcend borders.

Schengen / Dublin

Switzerland as a Schengen member state.

Adequacy

What is meant by an adequacy decision and what is its significance?

27.08.2021 - The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts

In its statement of 27 August 2021, the FDPIC recognises the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (pursuant to Implementing Decision 2021/914/EU) as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

07.10.2022 - European Union-U.S. Data Privacy Framework

The FDPIC has taken note of the factsheet released by the US regarding the «Data Privacy Framework (DPF)» and is analysing it.


The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Questions on data protection

Take a look at our FAQ or call our hotline.

Webmaster
Last modification 14.11.2023

Top of page