Cross-border transfers of personal data

The Federal Data Protection and Information Commissioner ("FDPIC"), in his communication of 27 August 2021, recognized the EU standard contractual clauses revised by the European Commission, with the reservation that they be adapted and/or supplemented to align with the situation in Switzerland.

At the same time, the FDPIC set a deadline of 1 January 2023 for companies to revise any contracts concluded that were based on the old standard contractual clauses.

Swiss companies should therefore take the following precautions:

• Check whether, and with which, companies (e.g. IT providers) contracts based on the "old" standard contractual clauses were concluded; and,
• Replacement all such contracts with the new standard contractual clauses, after appropriate adaptation to the situation in Switzerland.

These arrangements can be time-consuming for the following reasons:

• In practice, companies often do not have a central inventory of such contracts (under the future amended Data Protection Act, keeping a so-called "register of processing activities" will be mandatory for many companies, which will ultimately facilitate an overview of such contracts). Consequently, these contracts must be requested and obtained from the individual internal (or external) departments concerned;
  
• Larger international providers, in particular, have often integrated the standard contractual clauses into their standard contracts. Although the contracts are usually geared towards European customers (i.e., take into account the requirements of the European General Data Protection Regulation), they are not geared towards the (smaller) Swiss market. Revision may therefore involve time-consuming renegotiations.