The Swiss Federal Data Protection and Information Commissioner (‘FDPIC’) has issued a guide, which facilitates checking the admissibility of data transfers to foreign countries. In fact, Art. 6 (1) of the Swiss Federal Act of Data Protection (‘FADP’) states that “personal data may not be disclosed abroad, if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection”. In absence of such legislation, a transfer can however be done, if compensated by sufficient guarantees. Based on a verification schema, the guidance of the FDPIC explains the case of data transfer abroad according to Art. 6 (2) (a) FADP.
What are the key takeaways?
The data exporter subject to Art. 6 FADP has no possibility to rely on ‘something solid’ for the data transfer. They are given the overall responsibility despite indications, such as the list of countries the FDPIC has issued. It shall be noted that the current list of countries of the FDPIC is not binding yet. Take into account that this will change once the revised FADP comes into force.
The data exporter has the duty to ensure that an adequate level of data protection is guaranteed, when the data is processed in the destination country. If the data is transferred to an EU country, an adequate level of data protection can be assumed.
A) If the destination country figures on the FDPIC’s list of countries to provide for adequate protection (Art. 6 (1) FADP):
- If the owner of data collection transfers data to a country that is on the FDPIC's list of countries that have an adequate level of data protection, they are deemed to be acting in good faith. However, if they know that an adequate level of data protection might not be guaranteed, they cannot rely on that assumption. As mentioned, the data exporter remains responsible for the export and must check periodically whether protection is still adequate and if there are any reasons to believe that personal data cannot be processed securely in the destination country. In this case, the further steps below will be necessary.
B) If there is no adequate protection according to the FDPIC’s list of countries or indication that no data transfer in conformity with data protection is possible (Art. 6 (2) (a) FADP):
If the country is not on the FDPIC's list of countries offering adequate data protection, or if it is on the list but there are indications that an adequate level of data protection cannot be assumed, the data exporter must establish sufficient safeguards, in particular by means of a contract. Standard Contractual Clauses (SCCs) will be used as a basis.
- The data exporter must keep detailed records of the data transfer, e.g. in the records of processing activities. These records form the basis for assessing the data export. The exporter shall describe categories, processors and sub processors, purpose and so on.
- The data exporter must check whether an access, which could likely be required for national security or criminal investigation purposes, is compatible with Swiss data protection law and Swiss constitutional principles. Again, the exporter must carry out the evaluations themself and may not rely only on the opinion of the data importer. Namely the following Swiss fundamental rights must be guaranteed in the third country (‘four guarantees’):
1. Principle of legality: sufficiently specific and clear legal provisions on the powers of public authorities and the purposes thereof, and procedures and material requirements for access to data by public authorities.
2. Proportionality of the powers and measures regarding the regulatory objectives pursued: the powers and measures available to the authorities must be suitable and necessary for the authorities to fulfil the legal purposes of their access. They also must be reasonable as far as the data subjects are concerned.
3. Effective legal remedies must be available to the individual: data subjects in Switzerland must have an effective legal remedy to enforce their rights to privacy and information (e.g. rights of access, rectification and deletion)
4. Guarantee of legal recourse and access to an independent and impartial court: intrusions must be subject to an effective, independent and impartial monitoring court or other independent body.
- If the four guarantees are given – the SCCs are well sufficient: if the four guarantees are given, an adequate level of data protection can be achieved with the standard SCCs. All that’s left to do is to consider the individual implementation of the SCCs and whether further contractual measures for individual protection are necessary.
- If the four guarantees are not given, the SCCs and the mandatory supplementary measures are needed: if the four guarantees are not ensured, additional measures serving as ‘substitutes’ must be examined. Additional technical and organisational measures must be sufficiently effective so that the authorities in the destination country are denied access to the personal data. After implementing the necessary additional measures, the data exporter must regularly review the technical and legal requirements.
Suspension or termination of data disclosure abroad
If additional measures cannot compensate for the identified deficiencies in fulfilling the four guarantees and if there is therefore no sufficient guarantee pursuant to Art. 6 (2) (a) FADP, the data transfer abroad must be suspended or terminated immediately.
The guideline of the FDPIC provides some updated clarification for data transfers abroad under the current FADP.
The Swiss data exporter shall perform a Transfer Impact Assessment, which is also required under the new SCCs of 4 June 2021. The data exporter has a full obligation to ensure the security of the data, with little to no reliance on the data importer. They have some demanding ‘homework’ to do. Deeper knowledge will be needed, some passages in the guidance read that the data exporter must “carry out the necessary legal clarifications itself, e.g. by consulting literature and case law or obtaining independent legal advice”. Until the revised FADP comes into force, this updated guidance will serve as an important reference for data transfers from Switzerland to a third country.