Regulatory & Compliance

Framework conditions for data disclosure abroad

By:
Yasmine Schwager
insight featured image
The revised Swiss Data Protection Act (DPA) has been in force since September 1, 2023. Many financial service providers have implemented the new regulations in the meantime. In some cases, there are uncertainties regarding the disclosure of personal data abroad. Many companies are dependent on foreign (particularly American) software solutions. In this article, we inform you about the new regulation on data exchange between Switzerland and the USA and its effects. We have also summarized the requirements for the disclosure of personal data to the EU and other third countries for you.
Contents

Classification1

Tabelle eu klein

 

Principle

Personal data may in principle2 only be disclosed to a recipient abroad without additional measures if an adequate level of protection is guaranteed in the recipient country. The Federal Council specifies which countries meet this requirement in the annex to the Ordinance to the Data Protection Act. This includes, for example, Germany, Argentina and the United Kingdom.

 

European Union (EU)

The Federal Council classifies the EU General Data Protection Regulation (GDPR) as equivalent to the Swiss Data Protection Act. Accordingly, the EEA member states are included on the list of recognized countries in Annex 1 of the Ordinance to the Data Protection Act and data disclosures to these countries are generally possible without further protective measures. 

 

USA

On August 14, 2024, the Federal Council decided that personal data can be disclosed to recipients in the USA without additional guarantees under the Swiss-U.S. Data Privacy Framework. 

The prerequisite for this is that the respective recipient is certified in accordance with the CH-U.S. Data Privacy Framework. This creates similar conditions for Swiss companies as in the EEA, which already introduced the EU-U.S. Data Privacy Framework in July 2023. 

A CH-U.S. Data Privacy certification ensures compliance with the prescribed data protection measures and guarantees. Various American companies such as Microsoft and Google have already been certified in accordance with the framework. A list of the affiliated players is available under the link « Data Privacy Framework ».

The CH-U.S. Data Privacy Framework certification therefore enables data to be disclosed to the USA without additional standard contractual clauses or transfer impact assessments. Nevertheless, there is no reason why the data disclosure should not be additionally secured by standard contractual clauses. In any case, we recommend having the certification and its maintenance contractually guaranteed by the data recipient. 

 

Alternative protection mechanisms

If there is no adequacy decision for a country or if a company is not certified under the CH-U.S. Privacy Framework, a disclosure may still be permitted if appropriate data protection is guaranteed. This is often done through standard data protection clauses3 and data protection clauses in specific contracts4.

The planned data disclosure should be recorded in detail so that a relevant basis for its assessment is available. 

Cumulative guarantees

To protect the data subjects, when data is disclosed to recipients in a country without an adequacy decision by the Federal Council, it must also be ensured that the following Swiss guarantees of fundamental rights exist in the recipient country:

  • Principle of legality: There must be clear, precise and accessible rules governing the authorities' powers and access to data.
  • Proportionality: The measures taken by the authorities must be suitable, necessary and reasonable for the persons concerned in order to fulfill the legal purposes.
  • Legal remedies: Data subjects must have effective legal remedies at their disposal to enforce their rights.
  • Protection against arbitrariness: Interventions in privacy and informational self-determination must be subject to an effective, independent and impartial body.

When checking these guarantees, the data exporter must not rely solely on statements made by the data importer.

Regardless of whether the four guarantees can be complied with, the data exporter must carry out a detailed, case-by-case analysis before disclosing data abroad. 

In order to carry out all the necessary clarifications, a thorough examination of the data protection laws applicable in the recipient country and their implementation and enforcement in practice must be carried out. If there is a lack of expertise, independent legal opinions can be obtained in order to comprehensively assess the legal situation in the recipient country. The analysis should be based on objective legal and factual circumstances. Subjective factors such as the likelihood of unlawful access to the data in the recipient country should generally not be considered.

Any additional measures

If the four guarantees mentioned above are not guaranteed in the recipient country, additional measures must be taken instead. It must be prevented that authorities can gain access to the transmitted personal data. An example of such a measure would be effective encryption of the data. On the other hand, contractual regulations alone are not sufficient, as they do not have to be binding for authorities in third countries. Once the necessary additional measures have been implemented, the responsible data exporter must regularly review the actual and legal conditions.

Implementation

If an adequate level of data protection is achieved even without additional measures, the disclosure of data (with periodic review) can take place after conclusion of the contractual arrangement and prior analysis. If the implementation of any necessary additional measures is successful, the data disclosure can take place after the contractual arrangement has been concluded, prior analysis and implementation of the additional measures (with periodic review). 

 

Conclusion & outlook

Although the new data protection framework with the Swiss-U.S. Data Privacy Framework brings relief, the requirements for disclosing data abroad remain high. Companies must ensure that they comply with the legal framework, especially when disclosing personal data to countries without an adequate level of data protection. Both contractual guarantees and additional protective measures are crucial to ensure data protection. Regular reviews and, if necessary, adjustments to the measures taken are essential to ensure long-term compliance with data protection requirements and to limit legal risks.

 

Do you have questions about data protection law and/or data disclosures abroad? Our specialists from the Regulatory & Compliance FS team will be happy to support you. We look forward to hearing from you.



[1] This is a highly simplified presentation, which should enable a quick initial classification of the topic.  Each institution should determine the relevance and the specific need for action on an individual basis.
[2] Unless there is a legal exception, such as the express consent of the data subject.
[3] Standard data protection clauses can be drawn up by private or public bodies or by the Federal Data Protection and Information Commissioner (FDPIC). They can be used freely and without notification once they have been approved by the FDPIC. 
[4] Contracting parties may agree separate data protection clauses in a specific contract. These clauses must be communicated to the FDPIC prior to the respective disclosure abroad.