-
Audit Industry, Services, Institutions
More security, more trust: Audit services for national and international business clients
-
Audit Financial Services
More security, more trust: Audit services for banks and other financial companies
-
Corporate Tax
National and international tax consulting and planning
-
Individual Tax
Individual Tax
-
Indirect Tax/VAT
Our services in the area of value-added tax
-
Transfer Pricing
Our transfer pricing services.
-
M&A Tax
Advice throughout the transaction and deal cycle
-
Tax Financial Services
Our tax services for financial service providers.
-
Financial Services
Consultancy services that generate real added value for financial service providers.
-
Advisory IT & Digitalisation
Generating security with IT.
-
Forensic Services
Nowadays, the investigation of criminal offences in companies increasingly involves digital data and entire IT systems.
-
Regulatory & Compliance Financial Services
Advisory services in financial market law and sustainable finance.
-
Transaction Services / Mergers & Acquisitions
Successfully handling transactions with good advice.
-
Legal Services
Experts in commercial law.
-
Trust Services
We are there for you.
-
Business Risk Services
Sustainable growth for your company.
-
IFRS Services
Die Rechnungslegung nach den International Financial Reporting Standards (IFRS) und die Finanzberichterstattung stehen ständig vor neuen Herausforderungen durch Gesetzgeber, Regulierungsbehörden und Gremien. Einige IFRS-Rechnungslegungsthemen sind so komplex, dass sie generell schwer zu handhaben sind.
-
Abacus
Grant Thornton Switzerland Liechtenstein has been an official sales partner of Abacus Business Software since 2020.
-
Accounting Services
We keep accounts for you.
-
Payroll Services
Leave your payroll accounting to us.
-
Real Estate Management
Leave the management of your real estate to us.
-
Apprentices
Career with an apprenticeship?!
Classification1
Principle
Personal data may in principle2 only be disclosed to a recipient abroad without additional measures if an adequate level of protection is guaranteed in the recipient country. The Federal Council specifies which countries meet this requirement in the annex to the Ordinance to the Data Protection Act. This includes, for example, Germany, Argentina and the United Kingdom.
European Union (EU)
The Federal Council classifies the EU General Data Protection Regulation (GDPR) as equivalent to the Swiss Data Protection Act. Accordingly, the EEA member states are included on the list of recognized countries in Annex 1 of the Ordinance to the Data Protection Act and data disclosures to these countries are generally possible without further protective measures.
USA
On August 14, 2024, the Federal Council decided that personal data can be disclosed to recipients in the USA without additional guarantees under the Swiss-U.S. Data Privacy Framework.
The prerequisite for this is that the respective recipient is certified in accordance with the CH-U.S. Data Privacy Framework. This creates similar conditions for Swiss companies as in the EEA, which already introduced the EU-U.S. Data Privacy Framework in July 2023.
A CH-U.S. Data Privacy certification ensures compliance with the prescribed data protection measures and guarantees. Various American companies such as Microsoft and Google have already been certified in accordance with the framework. A list of the affiliated players is available under the link « Data Privacy Framework ».
The CH-U.S. Data Privacy Framework certification therefore enables data to be disclosed to the USA without additional standard contractual clauses or transfer impact assessments. Nevertheless, there is no reason why the data disclosure should not be additionally secured by standard contractual clauses. In any case, we recommend having the certification and its maintenance contractually guaranteed by the data recipient.
Alternative protection mechanisms
If there is no adequacy decision for a country or if a company is not certified under the CH-U.S. Privacy Framework, a disclosure may still be permitted if appropriate data protection is guaranteed. This is often done through standard data protection clauses3 and data protection clauses in specific contracts4.
The planned data disclosure should be recorded in detail so that a relevant basis for its assessment is available.
Cumulative guarantees
To protect the data subjects, when data is disclosed to recipients in a country without an adequacy decision by the Federal Council, it must also be ensured that the following Swiss guarantees of fundamental rights exist in the recipient country:
- Principle of legality: There must be clear, precise and accessible rules governing the authorities' powers and access to data.
- Proportionality: The measures taken by the authorities must be suitable, necessary and reasonable for the persons concerned in order to fulfill the legal purposes.
- Legal remedies: Data subjects must have effective legal remedies at their disposal to enforce their rights.
- Protection against arbitrariness: Interventions in privacy and informational self-determination must be subject to an effective, independent and impartial body.
When checking these guarantees, the data exporter must not rely solely on statements made by the data importer.
Regardless of whether the four guarantees can be complied with, the data exporter must carry out a detailed, case-by-case analysis before disclosing data abroad.
In order to carry out all the necessary clarifications, a thorough examination of the data protection laws applicable in the recipient country and their implementation and enforcement in practice must be carried out. If there is a lack of expertise, independent legal opinions can be obtained in order to comprehensively assess the legal situation in the recipient country. The analysis should be based on objective legal and factual circumstances. Subjective factors such as the likelihood of unlawful access to the data in the recipient country should generally not be considered.
Any additional measures
If the four guarantees mentioned above are not guaranteed in the recipient country, additional measures must be taken instead. It must be prevented that authorities can gain access to the transmitted personal data. An example of such a measure would be effective encryption of the data. On the other hand, contractual regulations alone are not sufficient, as they do not have to be binding for authorities in third countries. Once the necessary additional measures have been implemented, the responsible data exporter must regularly review the actual and legal conditions.
Implementation
If an adequate level of data protection is achieved even without additional measures, the disclosure of data (with periodic review) can take place after conclusion of the contractual arrangement and prior analysis. If the implementation of any necessary additional measures is successful, the data disclosure can take place after the contractual arrangement has been concluded, prior analysis and implementation of the additional measures (with periodic review).
Conclusion & outlook
Although the new data protection framework with the Swiss-U.S. Data Privacy Framework brings relief, the requirements for disclosing data abroad remain high. Companies must ensure that they comply with the legal framework, especially when disclosing personal data to countries without an adequate level of data protection. Both contractual guarantees and additional protective measures are crucial to ensure data protection. Regular reviews and, if necessary, adjustments to the measures taken are essential to ensure long-term compliance with data protection requirements and to limit legal risks.
Do you have questions about data protection law and/or data disclosures abroad? Our specialists from the Regulatory & Compliance FS team will be happy to support you. We look forward to hearing from you.
[1] This is a highly simplified presentation, which should enable a quick initial classification of the topic. Each institution should determine the relevance and the specific need for action on an individual basis.
[2] Unless there is a legal exception, such as the express consent of the data subject.
[3] Standard data protection clauses can be drawn up by private or public bodies or by the Federal Data Protection and Information Commissioner (FDPIC). They can be used freely and without notification once they have been approved by the FDPIC.
[4] Contracting parties may agree separate data protection clauses in a specific contract. These clauses must be communicated to the FDPIC prior to the respective disclosure abroad.