Philipp Rosenauer
Partner Legal, PwC Switzerland
Many Swiss companies transfer customer or employee data (or other personal data) abroad, e.g. as part of cloud outsourcing. If data are transferred to the USA or another country without adequate data protection (from a Swiss perspective), certain protective measures must be taken under the current (as well as future) Swiss Data Protection Act. In practice, this protection is often provided on the basis of so-called "standard contractual clauses" (“SCC”). These SCC are issued by the European Commission and were updated on 4 June 2021.
The Federal Data Protection and Information Commissioner ("FDPIC"), in his communication of 27 August 2021, recognized the EU standard contractual clauses revised by the European Commission, with the reservation that they be adapted and/or supplemented to align with the situation in Switzerland.
At the same time, the FDPIC set a deadline of 1 January 2023 for companies to revise any contracts concluded that were based on the old standard contractual clauses.
Swiss companies should therefore take the following precautions:
- Check whether, and with which, companies (e.g. IT providers) contracts based on the "old" standard contractual clauses were concluded; and,
- Replacement all such contracts with the new standard contractual clauses, after appropriate adaptation to the situation in Switzerland.
These arrangements can be time-consuming for the following reasons:
- In practice, companies often do not have a central inventory of such contracts (under the future amended Data Protection Act, keeping a so-called "register of processing activities" will be mandatory for many companies, which will ultimately facilitate an overview of such contracts). Consequently, these contracts must be requested and obtained from the individual internal (or external) departments concerned;
- Larger international providers, in particular, have often integrated the standard contractual clauses into their standard contracts. Although the contracts are usually geared towards European customers (i.e., take into account the requirements of the European General Data Protection Regulation), they are not geared towards the (smaller) Swiss market. Revision may therefore involve time-consuming renegotiations.
Swiss companies should therefore take action now to bring the "old" standard contractual clauses up to the new standard by 1 January 2023.
PwC supports Swiss companies across all industries with the renewal of standard contractual clauses and also with implementing the future revised Data Protection Act.
#social#
Contact us
Adrien Tharin
Director | Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Anouk Geene
Senior Associate | Data Privacy | ICT | Implementationᐩ , PwC Switzerland
Tel: +41 58 792 44 00
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 49 64
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 43 06