SWITZERLAND Law and Practice Contributed by: Lukas Morscher, Lukas Staub and Jil Eichenberger, Lenz & Staehelin
individuals responsible for breaches/violations directly, whereas under the GDPR, sanctions are imposed on the company itself. This ensures Switzerland maintains its status as a country adequately protecting personal data from an EU perspective, facilitating data transfers. To this effect, the European Commission renewed its adequacy decision for Switzerland in Janu - ary 2024. The revised DPA is also aligned with the revised European Convention on Human Rights and Fun - damental Freedoms and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (the “Convention ETS 108”). Cross-Border Data Transfers Personal data may only be transferred outside of Switzerland if adequate measures are in place to ensure that the privacy of the data subject is not significantly at risk, in particular, due to the absence of legislation that guarantees adequate protection in the jurisdiction where the recipi - ent resides. The Federal Council has published a list of jurisdictions that provide adequate data protection in Appendix 1 to the DPO. The EEA countries, Andorra, Argentina, Canada, the Far - oe Islands, Gibraltar, Guernsey, the Isle of Man, Israel, Jersey, Monaco, New Zealand, the United Kingdom and Uruguay are generally considered to provide an adequate level of data protection as regards personal data, while the laws of all other jurisdictions do not provide adequate data protection. As regards data transfers to the US, the Swiss- US Privacy Shield (which replaced the US-Swiss Safe Harbour Framework in 2017), under which Swiss companies were able to transfer personal data to their US business partners without the need to procure the consent of each data sub -
ject or to put additional measures in place, was declared invalid by the FDPIC in September 2020. Effective 15 September 2024, the Swiss Federal Council approved the adequacy of data protection exclusively for personal data transfers to US companies certified under the data privacy framework (the “DPF”). While this allows data transfers to certified US companies, it does not grant the United States as a whole the status of a country with adequate data protection. Only businesses that meet the certification require - ments of the DPF qualify for this facilitated trans - fer mechanism. In the absence of legislation that guarantees adequate protection, personal data may only be transferred outside Switzerland if, inter alia: • sufficient safeguards (in particular, standard contractual clauses) ensure an adequate level of protection abroad; • the data subject has consented in the specific case; • the processing is directly connected with the conclusion or the performance of a contract (and the personal data is that of a contractual party); or • disclosure is made within the same legal per - son or company or between legal persons or companies that are under the same manage - ment, provided those involved are subject to data protection rules (ie, binding corporate rules). In practice, in order to ensure an adequate level of data protection, data transfer agreements or data transfer clauses (ie, binding corporate rules) are regularly used. It is the responsibility of the data transferor to ensure that an agreement suf - ficiently protecting the rights of the data sub - jects is concluded. The FDPIC recognises the new set of standard contractual clauses, issued
460 CHAMBERS.COM
Powered by FlippingBook