Sep 272021

Switzerland Recognizes New EU Standard Contractual Clauses and Issues Guidance on International Data Transfers

William RM Long, Francesca Blythe and Sabrine Schnyder
, , ,

On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) formally recognized the new EU Standard Contractual Clauses published by the European Commission on June 4, 2021 (New SCCs). The New SCCs are intended to legitimize transfers of personal data from Switzerland to countries not deemed by the FDPIC as providing an adequate level of protection for personal data (cf. official statement) — thereby completing its guidance on international data transfers published on June 18, 2021. The aim of these documents is to reduce uncertainties in a post-Schrems II era and to help companies ensure the ongoing lawful transfer of personal data.

Where a third country is not considered adequate pursuant to Article 6(2) of the Federal Act of Data Protection (“FADP”), the data exporter should identify a data transfer mechanism to legitimize the transfer of personal data. One such mechanism is the New SCCs.

When looking to implement the New SCCs, a company should as a first step, identify the appropriate module that applies to the specific transfer:

  • Module 1: controller to controller
  • Module 2: controller to processor
  • Module 3: processor to (sub)processor
  • Module 4: processor to controller

In a second step, the exporter will have to adapt the New SCCs to reflect Swiss law, for example, replace references to the GDPR with references to the FADP, include reference to the FDPIC as the competent supervisory authority, and, until entry into force of the revised FADP, extend the scope of application to include personal data of legal entities. This can be done via, for example, an addendum to the New SCCs.

In terms of timing, for Switzerland (1) the New SCCs must be used as of September 27, 2021, for any new data transfers (or data transfers that have substantially changed); and (2) existing agreements relying on the Old SCCs must be replaced with the New SCCs by January 1, 2023.

In addition, the Swiss organization must inform the FDPIC of its proposed use of the New SCCs (Article 6(3) FADP and Article 6 Ordinance to the FADP), although this obligation ceases to exist with the entry into force of the revised FADP, expected in late 2022/early 2023.

Finally, when using the New SCCs (or another contractual safeguard pursuant to Article 6(2)(a) FADP), an organization must conduct a detailed assessment of its international data transfers pursuant to the FDPIC’s guidance of 18 June 2021. This means that the data exporter should (1) keep a detailed record of the international data transfers and (2) conduct a foreign law assessment.

If the foreign law assessment allows the data exporter to conclude that practices in the third country align with the Swiss fundamental rights, reliance on the New SCCs (and indeed the Old SCCs) should in principle be sufficient. Otherwise, the exporter must put in place additional contractual, technical, and organizational measures to address any perceived gaps in the third country. Such supplementary measures may include, for example, confidentiality obligations imposed on the importer, protective orders, encryption prior to transfer or remote-only access to personal data saved on an EU or Swiss server. If this is not possible, the transfer is not permitted.

In terms of next steps, companies will need to carefully consider the New SCCs to determine which of the modules applies to their data transfer scenarios, add an addendum for their use in Switzerland, and determine how they and other parties will comply with contractual obligations in the New SCCs and how they will roll out the New SCCs both for intragroup transfers but also data transfers to third parties. Companies will also need to ensure they have carried out a Schrems II data transfer assessment project and considered the use of the New SCCs in this context.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Sabrine Schnyder

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.