Skip to content

Switzerland has had the EU’s adequacy decision since 2000. Switzerland’s adequacy has now been re-examined and the European Commission has published its report, in which Switzerland’s level of data protection was deemed to be guaranteed in the context of the European data protection framework.

Background and context for the first review

In its report of 15 January 2024, the EU determined that Switzerland also has an adequate level of data protection based on the GDPR. The EU Commission thus confirms its first review of the adequacy findings on the basis of Art. 25 para. 6 of the then Data Protection Directive (95/46/EC) and certifies an adequate level of data protection for eleven countries, including Switzerland. Data can therefore be transferred from the EU to these countries without additional requirements in accordance with Art. 46 GDPR.

The GDPR and the adequacy findings under the former Data Protection Directive exist side by side. However, according to the EU Commission, developments in third countries must be continuously monitored in order to ensure the effectiveness of the decisions taken. In addition, the Commission must review these findings every four years on the basis of Art. 97 GDPR.

The importance of adequacy findings has increased continuously in recent years and will continue to change in the future, as the cross-border transfer of data is now part of everyday business life. In addition, respect for privacy with regard to data flows is also playing a greater role in secure and competitive trade. Data should therefore also be protected after it has been transferred and be in line with the rights of the individual and the increasing digital transformation. Adequacy findings thus enable the free movement of personal data, promote trade within the EU and facilitate cooperation in various regulatory areas with foreign partners.

Subject matter and method of the review

The adequacy findings are based on the EU data protection framework that preceded the GDPR. The decision on Switzerland has already been in force for 20 years. Since then, the data protection frameworks in all countries have evolved due to legislative reforms or developments in the practice of data protection authorities.

The EU Commission focussed on developments since the last adequacy findings and assessed how these developments have affected the data protection landscape and whether the various regulations continue to ensure an adequate, equivalent level of protection. The EU data protection regulations, in particular the entry into force of the GDPR, were also comprehensively taken into account.

An identical level of protection is not expected in third countries – instead, the level must be “equivalent in substance” to the level guaranteed in the EU. Furthermore, according to the European Court of Justice, the EU Commission’s assessment should include not only the general data protection framework, but also the rules on access to personal data by public authorities.

Review procedure

To carry out the adequacy assessment, the Commission services have taken various steps in recent years in co-operation with the countries concerned. The EU Commission has obtained information from the eleven monitored countries on the development of their data protection regimes since the adequacy finding. This information included detailed data on access to personal data by public authorities. In addition, information was obtained from authorities and local experts on the functioning of the regulations and relevant legal and practical developments. Both data protection regulations for private operators and access by public authorities were taken into account.

On the basis of this information, an intensive dialogue was conducted with each country concerned. As part of this dialogue, many of these countries modernised and strengthened their data protection legislation – including Switzerland – to ensure the continuity of the adequacy findings. In parallel, the EU institutions were informed by the Commission services and their views were sought.

Review of Switzerland

The EU already had to review the adequacy decisions in spring 2019. In Switzerland, this was delayed due to the revision of the Swiss Data Protection Act, which came into force in September 2023. The DPA thus also aimed to harmonise with the stricter EU data protection rules and maintain the European adequacy decision.

The Commission assessed that Switzerland has an adequate and equivalent level of data protection and that personal data can therefore continue to be transferred from the EU to Switzerland. The review took into account developments such as the revision of the FADP and the ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108 ). The handling of personal data by government agencies was also examined. It was concluded that Switzerland lawfully accesses data from the EU by complying with national and international legal bases in order to protect public interests.

Sources: