The transfer of personal data to countries that do not guarantee adequate protection of personal data in accordance with Swiss standards is only permitted under certain conditions. These are:
- Conclusion of a contract with the data recipients abroad, which contains sufficient guarantees for the guarantee of adequate protection abroad (for more details see further below). The contract must also be notified to the Federal Data Protection and Information Commissioner (FDPIC);
- There is a specific consent of the data subject;
- The transmission is directly related to the conclusion or execution of a contract where (only) personal data of the contractual partner is concerned;
- In individual cases where transmission is essential for an overriding public interest or for the establishment, exercise or enforcement of legal claims in court;
- Disclosure is necessary to protect the life or physical integrity of the data subject in question;
- the data subject has made the data generally accessible and has not expressly prohibited its processing; or
- Disclosure takes place within the same company or between companies under a single management and the parties involved are subject to data protection rules that ensure adequate protection (so-called binding corporate rules).
The member states of the EU and the EEA ensure an adequate level of data protection for natural persons. With regard to transfer to the USA, the US-Swiss Privacy Shield Framework does no longer offer adequate protection (see https://swissdataprotectionlaw.ch/en/swiss-us-privacy-shield-gemaess-edoeb-ungenuegend/ ).
Until recently, the EU standard contractual clauses were often used for the disclosure of personal data to countries that are not listed as “safe” on the FDPIC list of countries. However, these may now no longer be used without further measures. The FDPIC requires a comprehensive analysis of the data transfer in each individual case and under the legal circumstances in the recipient country. The data exporter must undertake all necessary inquiries (e.g., obtaining independent legal opinions) to verify whether the data protection rights can actually be guaranteed with the contractual provisions. The FDPIC has drawn up a test scheme as an aid for this analysis.