On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) formally recognized the new EU Standard Contractual Clauses published by the European Commission on June 4, 2021 (New SCCs). The New SCCs are intended to legitimize transfers of personal data from Switzerland to countries not deemed by the FDPIC as providing an adequate level of protection for personal data (cf. official statement) — thereby completing its guidance on international data transfers published on June 18, 2021. The aim of these documents is to reduce uncertainties in a post-Schrems II era and to help companies ensure the ongoing lawful transfer of personal data.
Where a third country is not considered adequate pursuant to Article 6(2) of the Federal Act of Data Protection (“FADP”), the data exporter should identify a data transfer mechanism to legitimize the transfer of personal data. One such mechanism is the New SCCs.
When looking to implement the New SCCs, a company should as a first step, identify the appropriate module that applies to the specific transfer:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to (sub)processor
- Module 4: processor to controller
In a second step, the exporter will have to adapt the New SCCs to reflect Swiss law, for example, replace references to the GDPR with references to the FADP, include reference to the FDPIC as the competent supervisory authority, and, until entry into force of the revised FADP, extend the scope of application to include personal data of legal entities. This can be done via, for example, an addendum to the New SCCs.
In terms of timing, for Switzerland (1) the New SCCs must be used as of September 27, 2021, for any new data transfers (or data transfers that have substantially changed); and (2) existing agreements relying on the Old SCCs must be replaced with the New SCCs by January 1, 2023.
In addition, the Swiss organization must inform the FDPIC of its proposed use of the New SCCs (Article 6(3) FADP and Article 6 Ordinance to the FADP), although this obligation ceases to exist with the entry into force of the revised FADP, expected in late 2022/early 2023.
Finally, when using the New SCCs (or another contractual safeguard pursuant to Article 6(2)(a) FADP), an organization must conduct a detailed assessment of its international data transfers pursuant to the FDPIC’s guidance of 18 June 2021. This means that the data exporter should (1) keep a detailed record of the international data transfers and (2) conduct a foreign law assessment.
If the foreign law assessment allows the data exporter to conclude that practices in the third country align with the Swiss fundamental rights, reliance on the New SCCs (and indeed the Old SCCs) should in principle be sufficient. Otherwise, the exporter must put in place additional contractual, technical, and organizational measures to address any perceived gaps in the third country. Such supplementary measures may include, for example, confidentiality obligations imposed on the importer, protective orders, encryption prior to transfer or remote-only access to personal data saved on an EU or Swiss server. If this is not possible, the transfer is not permitted.
In terms of next steps, companies will need to carefully consider the New SCCs to determine which of the modules applies to their data transfer scenarios, add an addendum for their use in Switzerland, and determine how they and other parties will comply with contractual obligations in the New SCCs and how they will roll out the New SCCs both for intragroup transfers but also data transfers to third parties. Companies will also need to ensure they have carried out a Schrems II data transfer assessment project and considered the use of the New SCCs in this context.