Transferring personal data overseas demands utmost care. When you're exporting data, it's on you to confirm the international recipient upholds data security standards in line with Switzerland's expectations.
💡 In a nutshell, data transfer to insecure third countries is possible under the nFADP under certain conditions, but always involves additional effort and risks. Consider therefore that there are alternatives, namely not sending the data abroad, but rather switching to European providers.
Transferring data to safe third countries
The data transfer is unproblematic if it goes to a safe third country. Switzerland has defined a list of safe third countries, which mainly includes the countries of the EU.
Transferring data to unsafe third countries
Unsafe third countries include the USA, which can make cooperation with companies based there problematic. However, the European Commission recently recognized a new EU-US data protection framework that introduces new binding data protection safeguards. As a result, EU companies are now allowed to work with U.S. data processors without further safeguards.
Switzerland is also in discussions with the U.S. to establish a similar framework. So far, however, the list of safe third countries remains unchanged. So, for data dispatches to places like the USA (or other non-listed countries), you need an extra layer of safeguarding. This involves inking an agreement with the data processor infused with specific data protection clauses. Drafting these clauses on your own? Tricky and potentially risky.
Instead, it is safer to use the so-called standard contractual clauses (SCC) developed by the EU and recognized by Switzerland. Note, however, that even these do not imply unrestricted clearance. The SCC require that you, as the data controller, perform your own risk analysis to check whether the legal situation in the third country makes access to the data by authorities possible and likely. If this is the case, the SCCs alone are not sufficient; the transmitted data must then be additionally secured, for example through encryption.
The Swiss data protection authority has published instructions for conducting such a risk analysis. If your risk analysis concludes that the legal situation in the third country does not make adequate data protection impossible, you can use the standard contractual clauses by the EU. You do this by creating an agreement in which you incorporate the text of the SCC, taking it verbatim. However, there are some places where contextual adjustments can and must be made. These are marked accordingly.
If you use the SCC from Switzerland, you must supplement them according to the requirements of the FDPIC with an annex. In this annex, it must be made clear that the term “Member State” must be extended so that data subjects in Switzerland can also assert their rights under clause 18c. Furthermore, it must be clarified that references to the GDPR are to be understood as references to the nFADP wherever data transfers are subject to the nFADP.
Here’s your cross-border transfer checklist
Make an overview of all your data processors abroad
☝️Tip: You can use our PII Data Inventory and Data Protection Impact Assessment (DPIA) Template to list your data processors abroad. You'll find this under your Shared Drive or ask your Customer Success Manager.
Create an agreement with each data processor and include the SCC.
Read the SCC carefully and adapt them to your context only where explicitly necessary.
Finalize the contracts and add them to your Vendors Page to prove your legal compliance.
Update your privacy policy to reflect any cross-border data moves. Plus, if individuals probe about their data, reveal the countries receiving their data and the protective measures in place.
Even if it is possible to transfer personal data abroad in this way, you should ask yourself whether it still makes sense in each particular case. Not only does it mean extra work and legal uncertainty, but your customers and visitors may not appreciate sharing their data with US corporations.
🇪🇺🇪🇺🇪🇺 Opting for EU solutions not only simplifies the process but also makes your company more trustworthy.