On August 27, 2021, the Federal Data Protection and Information Commissioner (FDPIC) declared to have adopted new standard clauses for cross-border data transfers. Thanks to the standard contractual clauses (also known as SCC or standard contractual clauses), personal data can also be transferred to countries without an adequate level of protection – from the perspective of the Swiss DPA – (Art. 6 para. 2 DPA). The SCC currently in force are still valid until September 29, 2021; existing SCC can still be used until the beginning of 2023.
Standard Contractual Clauses (SCC) can be used to allow the transfer of personal data to a country that does not have an adequate level of protection from the perspective of the Swiss DPA. Such an exchange of information would be inadmissible under Art. 6(1) DPA without additional safeguards.
In the revised FADP, Art. 16 (1) revDSG states that personal data may be transferred abroad if the Federal Council has examined and recognized the adequate level of protection of the recipient state. Without such a Federal Council determination, personal data may nevertheless be exported abroad if other measures can guarantee the appropriate level of data protection. SCC can provide this guarantee. These standard data protection clauses within the meaning of Art. 16 para. 2 lit. d revDSG have been recognized by the FDPIC and their use no longer has to be reported.
On August 27, 2021, the FDPIC recognized the new EU standard contractual clauses adopted by the EU Commission’s implementing decision of June 4, 2021. However, the FDPIC does not accept these model contracts and standard contractual clauses unconditionally: if necessary, these SCC will still need to be adapted and/or supplemented when they are applied. Up to now, the following model contracts and standard contractual clauses have been recognized in accordance with Art. 6 (2) a FADP:
- EU standard contractual clauses in accordance with the European Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).
- Swiss Transborder Data Flow Agreement (for outsourcing of data processing) of No-vember 2013;
- Council of Europe model contract for ensuring adequate data protection in the context of cross-border data flows.
These will now no longer be recognized as of 27.09.2021. New registrations will no longer be possible from 27.09.2021 and the transition period for existing contracts with such model clauses or contracts can continue to be used until 01.01.2023, provided that the data processing or the contract is not significantly changed in the meantime. After that, they will be replaced by the new standard contractual clauses or by a sui generis contract.
The European SCC are now divided into modules. The individual modules divide the data transfer into four possibilities. This allows the general contractual clauses, which the parties must necessarily integrate into their contract, to be supplemented with the contractual components tailored to the specific case.
An adaptation of the newly recognized SCC is necessary if the use case is subject to the DPA. The adaptations should ensure that the specific requirements of the DPA are met. No adaptations may be made if the DSGVO is applicable to the data transfer. In the case of data transfers abroad where the DPA and also the GDPR are relevant, the parties may nevertheless adapt the SCC: they either prepare two documents, one fulfilling the requirements of the DPA and the other the requirements of the GDPR, or they declare the requirements of the GDPR to be applicable in their entirety.
The FDPIC has listed and published a detailed overview of the necessary adaptations of the SCCs in order to ensure an adequate level of protection in its publication “Die Übermittlung von Personendaten in ein Land ohne angemessenes Datenschutzniveau gestützt auf anerkannten Standardvertragsklauseln und Musterverträge”.
An overview of the necessary adjustments to the SCC to ensure an adequate level of protection has been listed and published in detail by the FDPIC in its associated guidance.