On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here).  However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).

The adjustments will depend on whether the transfer is subject only to the FADP or whether it is also subject to the GDPR.  The Authority provided the following overview of adjustments:

Case 1:

The data transfer is exclusively subject to the FADP (see Ftn.: 1)

Case 2:

The data transfer is subject to both the FADP and the GDPR (see Ftn.: 2)

Option 2.1: The parties provide for two “separate” arrangements for data transfers under the FADP and under the GDPR Option 2.2: The parties adopt the GDPR standard for all data transfers
Competent supervisory authority in Annex I.C under Clause 13 Mandatory FDPIC Parallel supervision: FDPIC, insofar as the data transfer is governed by the FADP; EU authority insofar as the data transfer is governed by the GDPR (the criteria of Clause 13a for the selection of the competent authority must be observed)
Applicable law for contractual claims under Clause 17 Swiss law or the law of a country that allows and grants rights as a third party beneficiary Swiss law or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfer pursuant to the FADP; law of an EU member state for those according to the GDPR (free choice for Module 4) Law of an EU member state (free choice for Module 4)
Place of jurisdiction for actions between the parties pursuant to Clause 18b (see Ftn.: 3) Free choice Free choice for actions concerning data transfers pursuant to the FADP; court of an EU member state for actions concerning data transfers pursuant to the GDPR (free choice for Module 4) Courts of an EU member state (free choice for Module 4)
Adjustments or additions concerning the place of jurisdiction for actions brought by data subjects The SCCs must be supplemented with an annex specifying that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18c.
Adjustments or additions regarding references to the GDPR The SCCs must be supplemented with an annex specifying that references to the GDPR are to be understood as references to the FADP. The SCCs must be supplemented with an annex specifying that the references to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP.
Supplement until the entry into force of the revFADP (see Ftn.: 4) The SCCs are to be supplemented with an annex in which it is specified that the clauses also protect the data of legal entities until the entry into force of the revised FADP.

Footnotes:

1.       Conditions: GDPR does not apply (no connecting factor pursuant to Art. 3 GDPR); the data exporter is in Switzerland and the data is transferred to an unsecure third country.

2.       Conditions: GDPR applies to certain data transfers due to extraterritorial application in terms of Art. 3 GDPR; the data exporter is a controller or a processor who falls within the scope of the FADP, e.g. because they are in Switzerland, and the data is transferred to an unsecure third country.

3.       This is to be distinguished from the assertion of rights by data subjects at their place of habitual residence, cf. the following row of the table and the explanations under point 4.3.4.

4.       Expected date of entry into force: 1 January 2023.

Finally, the Swiss Federal Data Protection Authority clarified that although the old standard contractual clauses cannot be implemented in any new contracts signed after September 27, 2021, companies that executed the clauses can continue to use them until December 27, 2022, provided the transfer details remain unchanged.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.