SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
tection is guaranteed. Thus, at least one of the following conditions must be fulfilled: • an international treaty; • data protection provisions of a contract between the controller or the processor and its contracting partner, which were communi - cated beforehand to the FDPIC; • specific safeguards prepared by the compe - tent federal body and communicated before - hand to the FDPIC; • standard data protection clauses previously approved, established or recognised by the FDPIC; and • binding corporate rules (BCRs) on data protection that were previously approved by the FDPIC, or by a foreign authority that is responsible for data protection and belongs to a state that guarantees adequate protec - tion. Mechanisms or Derogations That Apply to International Data Transfers The FADP provides that personal data may not be disclosed abroad where the importing state does not have legislation that guarantees an adequate level of data protection (in accordance with an annex to the DPO). However, a transfer of data to such a state may be permitted if one of the foregoing conditions is fulfilled. Regarding standard contractual clauses (SCCs), the FDPIC formally recognised SCCs as a basis for international transfers to non-whitelisted countries, but only on the condition that the SCCs are amended slightly to account for Swiss law (and the fact that Switzerland is not an EEA member state). Due to the extraterritorial reach of the GDPR, some data transfers may additionally be subject to the GDPR, in particular if data pertaining to
EU residents is (also) transferred. Therefore, two cases should be distinguished: • in the first case, there is no link to the GDPR, and the data transfer is subject solely to the FADP; and • in the second case, the GDPR applies to cer - tain data transfers based on its extraterritorial reach, but the data exporter is a controller or a processor that falls within the scope of the FADP (eg, because it is located in Switzer - land). For data transfers subject to the GDPR, non- amended SCCs may be used. The EU SCCs require a “transfer impact assess - ment” (TIA). This also applies to Swiss compa - nies if they use the EU SCCs under the GDPR or under the FADP. As part of a TIA, the Swiss data exporter must check in each specific case whether the laws of the recipient country regard - ing official access in the recipient country (eg, for the purpose of national security or criminal prosecution) and the rights of the data subjects are compatible with Swiss data protection law and Swiss constitutional principles. According to the FDPIC, the Swiss data exporter must carry out the corresponding clarifications itself and must not rely solely on the statements of the data importer. Switzerland has recently implemented the Swiss-US Data Protection Framework (DPF) (see 5.5 Recent Developments ). Finally, the FDPIC has pointed out that internal company data protection regulations, so-called BCRs, cannot be a substitute for the conclusion of SCCs if transfers are made outside of a group of companies subject to BCRs.
429 CHAMBERS.COM
Powered by FlippingBook