The Swiss data protection law guarantees the protection of the private sphere for data processing carried out by persons in Switzerland. However, when data is transmitted abroad, an adequate level of its protection has to be provided for thereabouts.
Due to current developments, we will continuously add to and adapt the information on this page. Status: 27 August 2021
The current regulations are as follows:
Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection (PDF, 205 kB, 08.09.2020)
Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 6 para. 2 letter a FADP)
This guidance is intended to make it easier for data owners to check the permissibility of data transfers of personal data abroad.Based on a diagram, this guidance explains the case of data transfer abroad according to art. 6 para. 2 letter a FADP, if legislation is lacking there that ensures adequate protection* and this lack must be compensated by sufficient guarantees (cf. also art. 6 para. 2 and 3 of the Ordinance to the Federal Act on Data Protection DPO, SR. 235.11). The requirements according to letters b - g are not addressed in this guidance.
* To check whether the country to which data are transferred offers adequate data protection, the list of countries (here below) serves as a guide.
The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts
In its statement of 27 August 2021, the FDPIC recognises the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (pursuant to Implementing Decision 2021/914/EU) as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.
The following explanations show which adaptations and amendments must be made. The standard contractual clauses pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU), the Swiss Transborder Data Flow Agreement (for outsourcing of data processing) of November 2013 and Council of Europe model contract to ensure equivalent protection in the context of cross-border data flows can still be notified until 27 September 2021 and continue to be used during a transitional period until 31 December 2022.
New standard contractual clauses
Previous standard contractual clauses
(The FDPIC is in the process of revising the model contract.)
If you are a responsible for a database yourself, please find more information on the topic in the respective chapters in the following publications (in German, French or Italian):