Follow ACC Docket Online:  

This Week in Privacy: Are the Swiss and EU Data Transfer Requirements Different?

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email with “This Week in Privacy" in the subject line.

Q: Do the Swiss have the same cross-border data transfer requirements as the European Union?

A: Actually, the two are very similar. Switzerland has requirements for transferring data across borders much like the European Union does. Article 6 of the Swiss Data Protection Act (FADP) states that “personal data may not be transferred abroad if to do so might seriously jeopardize the personality rights of the data subject, in particular in cases when there is no legislation that can guarantee an appropriate level of protection.”  

The FADP goes on to clarify that if legislation is not in place that provides appropriate protection, personal data may be transferred abroad only under the following circumstances:

  • There is a sufficient guarantee such as a contractual agreement;
  • With express consent of the data subject;
  • In performance of a contract where the data subject is a party;
  • In specific circumstances (public interest, exercising, or enforcing legal rights);
  • To protect life or prevent injury;
  • The data subject made the information publicly available and not forbidden the processing; or,
  • Within an entity or a group of entities under the same management and under data protection rules which provide an adequate level of protection.
The Swiss have published a list of countries that categorize data protection as sufficient, sufficient under certain conditions, and insufficient. It is not surprising that the countries match those of the EU adequacy determinations along with the US-Swiss Privacy Shield. US companies can now self-certify to the Shield, which replaces the former US-Swiss Safe Harbor Agreement.

The Swiss website provides a template cross-border processing agreement. Additionally, the Swiss permit the EU model contract clauses to be used as long as they are modified “to extend protection to the personal data of legal entities and personality profiles.”

About the Author

K Royal is the technology columnist for, and director at TrustArc. @heartofprivacykroyal

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.