On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here). However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).
The adjustments will depend on whether the transfer is subject only to the FADP or whether it is also subject to the GDPR. The Authority provided the following overview of adjustments:
The data transfer is exclusively subject to the FADP (see Ftn.: 1)
The data transfer is subject to both the FADP and the GDPR (see Ftn.: 2)
|Option 2.1: The parties provide for two “separate” arrangements for data transfers under the FADP and under the GDPR
|Option 2.2: The parties adopt the GDPR standard for all data transfers
|Competent supervisory authority in Annex I.C under Clause 13
|Parallel supervision: FDPIC, insofar as the data transfer is governed by the FADP; EU authority insofar as the data transfer is governed by the GDPR (the criteria of Clause 13a for the selection of the competent authority must be observed)
|Applicable law for contractual claims under Clause 17
|Swiss law or the law of a country that allows and grants rights as a third party beneficiary
|Swiss law or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfer pursuant to the FADP; law of an EU member state for those according to the GDPR (free choice for Module 4)
|Law of an EU member state (free choice for Module 4)
|Place of jurisdiction for actions between the parties pursuant to Clause 18b (see Ftn.: 3)
|Free choice for actions concerning data transfers pursuant to the FADP; court of an EU member state for actions concerning data transfers pursuant to the GDPR (free choice for Module 4)
|Courts of an EU member state (free choice for Module 4)
|Adjustments or additions concerning the place of jurisdiction for actions brought by data subjects
|The SCCs must be supplemented with an annex specifying that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18c.
|Adjustments or additions regarding references to the GDPR
|The SCCs must be supplemented with an annex specifying that references to the GDPR are to be understood as references to the FADP.
|The SCCs must be supplemented with an annex specifying that the references to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP.
|Supplement until the entry into force of the revFADP (see Ftn.: 4)
|The SCCs are to be supplemented with an annex in which it is specified that the clauses also protect the data of legal entities until the entry into force of the revised FADP.
1. Conditions: GDPR does not apply (no connecting factor pursuant to Art. 3 GDPR); the data exporter is in Switzerland and the data is transferred to an unsecure third country.
2. Conditions: GDPR applies to certain data transfers due to extraterritorial application in terms of Art. 3 GDPR; the data exporter is a controller or a processor who falls within the scope of the FADP, e.g. because they are in Switzerland, and the data is transferred to an unsecure third country.
3. This is to be distinguished from the assertion of rights by data subjects at their place of habitual residence, cf. the following row of the table and the explanations under point 4.3.4.
4. Expected date of entry into force: 1 January 2023.
Finally, the Swiss Federal Data Protection Authority clarified that although the old standard contractual clauses cannot be implemented in any new contracts signed after September 27, 2021, companies that executed the clauses can continue to use them until December 27, 2022, provided the transfer details remain unchanged.