Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) recognised the revised EU standard contractual clauses (SCC) published on June 4, 2021 as contractual safeguards (see our Briefing from June 2021) for transfers of personal data by Swiss companies to countries without an adequate level of data protection, provided that some amendments as specified by the FDPIC are made (see the FDPIC's communication of August 27, 2021). Swiss companies currently relying on SCC to transfer personal data abroad will need to adopt the new SCC by December 31, 2022 at the latest.
Until December 31, 2022, Swiss companies may still rely on the old SCC for continued and not significantly changed data exports, provided that the SCC were entered into prior to September 27, 2021. After the latter date, the old SCC may not be entered into anymore. We recommend to cease using the old SCC and to replace any existing SCC with the new SCC if no other safeguards are available for data exports after September 27, 2021.
The new SCC include four modules representing different data export scenarios:
As a first step, the data exporting Swiss company must now select the appropriate module in each specific case and then analyse whether the envisaged data transfer is subject to: (i) only the FADP or (ii) both the FADP and the GDPR. The data exporter should continue by making the following (minor) amendments to the new SCC:
Furthermore, the SCC provisions relating to the applicable law and the place of jurisdiction must be adapted (how to do this depends on whether only the FADP or also the GDPR applies).
Yes, the FDPIC stresses in its communication of August 27, 2021 that Swiss companies need to assess on a case-by-case basis whether contractual clauses are actually suitable for ensuring appropriate protection of the transferred personal data or whether supplementary measures need to be in place in addition to the SCC.
As set out in the FDPIC's guide of June 2021 to checking the admissibility of direct or indirect data transfers to foreign countries, the data exporter needs to evaluate on a case-bycase basis whether the laws in the receiving country relating to lawful data access by foreign public authorities (e.g. for national security or criminal investigation purposes) and data subject rights are compatible with Swiss data protection law and Swiss constitutional principles. In particular, to be compatible, the foreign law must provide the following four guarantees: (i) a clear legal basis for such lawful data access, (ii) the authorities' powers and measures must be suitable and necessary to fulfil the legal purposes of their access, (iii) data subjects in Switzerland must have effective legal remedies to enforce their rights to privacy (e.g. rights of access, rectification and deletion), and (iv) legal recourse as well as access to an independent, impartial court must be possible.
If the data exporter concludes that the third country provides these four guarantees, the SCC can be entered into and will provide an adequate level of data protection. Otherwise, the data exporter must take additional measures to ensure that transferred data is adequately protected. These may be of a contractual, technical or organisational nature (see our Briefing from June 2021).
SCC are only one option to provide sufficient safeguards for transfers of personal data to countries without an adequate level of data protection. Other options which Swiss companies may consider include binding corporate rules (“BCRs”) for group-internal data transfers or individual contractual clauses. These, however, require a case-by-case examination and approval by the FDPIC and are therefore more burdensome. Furthermore, Swiss companies which transfer personal data abroad in order to fulfil their contractual duties towards their customers do not need to sign SCC or implement BCRs for such transfers (e.g. a travel agency that shares the name and contact details of a customer with the hotel the customer has booked).
In practice, as in the past, we expect the new SCC to be the most relevant basis for cross-border data transfers from Switzerland to third countries without an adequate level of data protection.
Data transfers based on the new SCC must still be notified to the FDPIC until the Revised FADP enters into force. The same applies if parties decide to enter into the old SCC until September 27, 2021. However, if the new or old SCC are used, a simple notification letter to the FDPIC is sufficient, and no case-by-case examination by the FDPIC is required. Even though this question is not explicitly addressed in the FDPIC's communication of August 27, 2021, Swiss companies which have previously informed the FDPIC about their use of the old SCC are advised to again inform the FDPIC after having implemented the new SCC.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.