SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
its contracting partner, which were communi - cated beforehand to the FDPIC; • specific safeguards prepared by the compe - tent federal body and communicated before - hand to the FDPIC; • standard data protection clauses previously approved, established or recognised by the FDPIC; and • binding corporate rules (BCRs) on data protection that were previously approved by the FDPIC, or by a foreign authority that is responsible for data protection and belongs to a state that guarantees adequate protec - tion. Mechanisms or Derogations That Apply to International Data Transfers The FADP provides that personal data may not be disclosed abroad if this would seriously endanger the personality of the data subjects. Such a serious threat to the personality rights of the data subjects may arise if the exporting state does not have legislation that guarantees an adequate level of data protection. However, a transfer of data to such a state may be permit - ted if one of the foregoing conditions is fulfilled. Regarding the standard contractual clauses (SCCs) published by the EU Commission, the FDPIC formally recognised the SCCs for interna - tional transfers from Switzerland to third states, but only if certain changes are agreed to account for Swiss law (and the fact that Switzerland is not an EEA member state). For data transfers subject to the GDPR only, the non-amended SCCs may be used. Therefore, the parties should determine whether only the FADP or both the FADP and the GDPR apply to the transfer in question.
The EU SCCs require a “transfer impact assess - ment” (TIA). This also applies to Swiss compa - nies if they use the EU SCCs (under the GDPR as well as under the FADP). As part of a TIA, the Swiss data exporter must check in each specific case whether the laws of the recipient country regarding official access in the recipient country (eg, for the purpose of national security or crimi - nal prosecution) and the rights of the data sub - jects are compatible with Swiss data protection law and Swiss constitutional principles. In addition, Switzerland has recently imple - mented the Swiss-US Data Protection Frame - work (DPF). It remains to be seen if the DPF will stand, and for now, many companies opt to use the SCCs in addition to relying on the DPF. Finally, the FDPIC has pointed out that internal company data protection regulations – ie, BCRs, cannot be a substitute for the conclusion of a SCC if transfers are made outside of a group of companies subject to the BCRs. 3.6 Threat-Led Penetration Testing Swiss legislation does not currently provide for threat-led penetration testing (TLPT) require - ments, except that FINMA expects banks and securities dealers to carry out regular penetra - tion testing (per its Circular 2023/1 Operational Risks). In addition, Swiss financial entities may be subject to DORA requirements if they oper - ate within the EU or have connections with EU-based financial institutions or their clients. Likewise, Swiss companies affiliated with EU financial entities that provide intra-group ICT services to their EU counterparts are also cov - ered by DORA for these activities. Furthermore, DORA applies to Swiss ICT service providers as soon as they plan to offer their services to relevant financial entities within the EU. Finally, although Swiss data protection legislation does
282 CHAMBERS.COM
Powered by FlippingBook