Cross-border transfer of personal data
The cross-border transfer of personal data by private companies or federal bodies is only possible under certain conditions. It depends on the country to which the data is to be transferred, and certain precautions must be taken depending on the country.
Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP)
This guidance is intended to make it easier for data owners to check the permissibility of data transfers of personal data abroad.
Based on a diagram, this guidance explains the case of data transfer abroad according to art. 16 para. 2 letters b and d FADP, if legislation is lacking there that ensures adequate protection* and this lack must be compensated by standard data protection clauses or binding corporate rules (BCR) (cf. also art. 9 para. 3 of the Ordinance to the Federal Act on Data Protection DPO, SR. 235.11). The requirements according to letters a, c and e are not addressed in this guidance.
* To check whether the country to which data are transferred offers adequate data protection, the list of countries serves as a guide (see annex 1 DPO).
Weiterführende Informationen
- Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- Standard contractual clauses for data transfers between EU and non-EU countries
- The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts. (PDF, 159 kB, 20.09.2024)
In principle, personal data may only be transmitted abroad if the destination country has an appropriate level of data protection.
Appropriate level of protection guaranteed through legislation in the foreign state
Data may be disclosed abroad if the legislation of the destination country guarantees an appropriate level of protection (Art. 16 para. 1 FADP). The Federal Council decides which countries meet this requirement and publishes a list in the annex to the Ordinance to the Federal Act on Data Protection (Annex 1 DPO). The Ordinance also says what criteria the Federal Council uses in its assessment (Art. 8 DPO). If an appropriate level of protection is guaranteed, personal data can be freely transmitted from Switzerland to a country on the list, both by private companies and by federal bodies.
Appropriate level of protection ensured through suitable guarantees
If a country has not been assessed as having an appropriate level of protection, cross-border disclosure may still be permitted if data protection can be guaranteed another way. In particular, contractual guarantees are used:
- Data protection clauses in a specific contract: The controller and their contracting partner contractually agree specific data protection clauses that guarantee an appropriate level of protection for the data transmitted. Before the data is disclosed abroad, the Federal Data Protection and Information Commissioner (FDPIC) must be notified of these clauses. Despite this notification, responsibility for providing evidence that all necessary measures to protect the data have been taken remains with the controller. As opposed to the standard data protection clauses, the data protection clauses in a contract only apply to the disclosure provided for in the relevant contract.
- Standard data protection clauses: Standard data protection clauses may be drawn up by individuals, interested parties or federal bodies. Such clauses must be approved by the FDPIC beforehand. No data may be disclosed abroad until the FDPIC has taken its decision on the clauses, unless the transfer can be based on other legal grounds. The FDPIC must take a decision within 90 days (DPO). However, standard data protection clauses may also be issued or recognised by the FDPIC itself. The list of clauses can be found in the Infocenter. Use of such clauses does not need to be reported to the FDPIC.
Federal bodies can also use this type of guarantee.
- Binding corporate rules: Data may also be disclosed to a company abroad that belongs to the same group as the controller based on binding corporate rules or BCRs. These BCRs must be approved by the FDPIC beforehand or by a foreign data protection authority in a country with an appropriate level of data protection. As soon as the FDPIC has taken a decision, data can be disclosed abroad based on binding corporate rules. If the BCRs have already been approved by a foreign data protection authority with an appropriate level of protection (e.g. an EU country), a separate decision from the FDPIC is no longer needed, and the rules can be applied straight away.
When using contractual guarantees, the following applies:
- The controller must ensure that the recipient complies with the agreed clauses and that the legislation of the third country allows the recipient to meet their obligations;
- There is a presumption that the controller has taken all the necessary steps to ensure adequate protection. However, this presumption does not release the controller from liability for any damage resulting from a breach of these clauses by the recipient in particular;
- As the data protection clauses are only binding on the contractual parties, it may be necessary in some cases to supplement them with technical measures if the law applicable to the recipient allows disproportionate access by the authorities. (s. Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 lettera b and d FADP);
Federal bodies also have the option of attaching data protection guarantees as a condition when undertaking to cooperate with a foreign state, and transferring data to the country on that basis. Here, too, the federal body must notify the FDPIC beforehand.
As soon as the controller has fulfilled this obligation, the personal data can be disclosed abroad.
An appropriate level of data protection can also be guaranteed through an agreement under international law, e.g. Convention 108+ (see section International);
Exceptions
If there are no arrangements in place to ensure an appropriate level of protection, and none of the instruments described above are used, cross-border disclosure of personal data may still be permitted under the exceptions listed in Article 17 FADP.
Duties to provide information
Data subjects must be informed if their data is to be disclosed abroad (Art. 19 para. 4 FADP). more information
Criminal liability
If data is disclosed abroad and the conditions set out in Articles 16 and 17 FADP are not met, this may have consequences under criminal law (Art. 61 let. a FADP).
Inventory
In accordance with Article 12 FADP, the inventory of processing activities must contain information on the countries involved and the guarantees.
Last modification 23.07.2024