The Federal Data Protection and Information Commissioner (FDPIC) has published in its new guidance how to proceed with data transfer of personal data abroad. This is intended to facilitate the examination for the permissibility of data transfers of personal data and at the same time makes it clear that similar conceptual rules apply in Switzerland as in the EU.
Nowadays, data transfers of personal data abroad in compliance with data protection law can involve considerable effort for the exporter. The FDPIC is now contributing to transparency and thus legal certainty with its new schematic guidance.
a) Verification of the level of data protection in the third country.
Accordingly, the data exporter must ensure that an adequate level of data protection is guaranteed in the destination countries (Art. 6 DPA). In the case of EU/EEA countries, it can be assumed that they have a data protection law that provides a sufficient level of data protection.
It should be noted, however, that processors in a country with an adequate level of protection may also be subject to a law or other mandatory requirements of a third country that obligates the disclosure of the data to the authorities of said third country. In this case, the same procedure must be followed as if the state of the order processor did not have an adequate level of protection.
b) Adequacy of the level of protection
If data is exported to countries on the FDPIC list of states, the exporter is considered to be acting in good faith pursuant to Art. 3 (1) of the Civil Code. It is important to note that the exporter is still responsible for the personal data and is therefore not released from the obligation to regularly inform himself about the data protection situation in the countries concerned. Otherwise, the exporter’s good faith is refuted.
If, on the other hand, you want to transfer personal data to countries that are not on the FDPIC list of countries, the good faith principle does not apply. However, this does not mean that the country does not have an adequate level of data protection. This is because the FDPIC does not examine every state for its adequacy. It merely means that the exporter himself must carry out the necessary legal clarifications regarding the data security of this country.
c) No adequate protection
If a country does not have an adequate level of data protection, the data exporter is obliged to protect data protection by means of adequate guarantees, in particular a contract. Furthermore, he must create a detailed record of the data transfer, which serves as a relevant basis for the assessment of the intended data export.
With regard to government access to personal data and the rights of the data subjects, the data exporter is further obliged and must clarify whether the access is compatible with Swiss data protection and constitutional law. In doing so, it must investigate whether the following fundamental rights guarantees are guaranteed in the third country:
- Principle of legality – clear, precise and accessible legal rules (Art. 164 Cst.)
- Proportionality of authority measures (Art. 5 para. 2 Cst.)
- Effective legal remedies (Art. 13 para. 2 Cst.)
- Guarantee of access to justice and to independent and impartial courts (Art.29 ff. Cst.)
These guarantees must be analyzed on a case-by-case basis, taking into account all the legal circumstances in the third country as well as the instruments chosen, such as SCC, etc., for any data transfer.
According to the FDPIC, if the four guarantees are met, an adequate level of data protection can be achieved with standard SCC. If, on the other hand, the guarantees are not met, additional technical and organizational measures must be taken that can de facto prevent authorities from accessing the personal data transferred. This can take the form of data encryption, for example. If a sufficient level of data protection is not achieved even with the additional measures, the data transfer abroad must be terminated.
Additional contractual measures, on the other hand, are hardly sufficient because they do not bind third-country authorities and thus do not prevent official access.
If there are indications that personal data are processed directly or indirectly in the USA as a result of the data transfer, namely when using cloud services, therefore the FDPIC has developed a questionnaire in the appendix to its guidance to clarify the guarantees. This is intended to provide information on whether US authorities can exercise access to said personal data pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA). Should this be the case, the above-mentioned principles of proportionality and effective remedies are no longer guaranteed and the exporter must take further technical and organizational measures to protect the personal data.
d) Transfer of the data
Once the necessary measures have been implemented, the data controller must regularly review the factual and legal requirements. If the latter comes to the conclusion that data protection compliance is no longer given, the transfer of data abroad must be terminated.
On June 18, 2021, the European Data Protection Board (edpb) also published recommendations on the legal transfer of data to third countries. The requirements of the European Court of Justice, which were established in the so-called Schrems II ruling (C-311/18), were integrated into these recommendations. The recommendations are comparable to those of the FDPIC.