Authored by: K Royal, technology columnist for www.AccDocket.com, and vice president, associate general counsel of privacy, and compliance/privacy officer at CellTrust Corp.

This article was published as part of ACC’s “This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors.

Question:

Do the Swiss have the same cross-border data transfer requirements as the European Union?

Answer:

Actually, the two are very similar. Switzerland has requirements for transferring data across borders much like the European Union does. Article 6 of the Swiss Data Protection Act (FADP) states that “personal data may not be transferred abroad if to do so might seriously jeopardize the personality rights of the data subject, in particular in cases when there is no legislation that can guarantee an appropriate level of protection.”

The FADP goes on to clarify that if legislation is not in place that provides appropriate protection, personal data may be transferred abroad only under the following circumstances:

  • There is a sufficient guarantee such as a contractual agreement;
  • With express consent of the data subject;
  • In performance of a contract where the data subject is a party;
  • In specific circumstances (public interest, exercising, or enforcing legal rights);
  • To protect life or prevent injury;
  • The data subject made the information publicly available and not forbidden the processing; or,
  • Within an entity or a group of entities under the same management and under data protection rules which provide an adequate level of protection.

The Swiss have published a list of countries that categorize data protection as sufficient, sufficient under certain conditions, and insufficient. It is not surprising that the countries match those of the EU adequacy determinations along with the US-Swiss Privacy Shield. US companies can now self-certify to the Shield, which replaces the former US-Swiss Safe Harbor Agreement.

The Swiss website provides a template cross-border processing agreement. Additionally, the Swiss permit the EU model contract clauses to be used as long as they are modified “to extend protection to the personal data of legal entities and personality profiles.” 

For further reading, download ACC’s White Paper on “What Every GC Needs to Know About Third Party Cyber Diligence.”