GRC and personal data transfer from Switzerland: the standard contractual clauses

14 Oct 2021 07:00 AM By itSMF Staff

Reading time: ~ 2 min.

The transfer of personal data to a country with an inadequate level of data protection: the role of standard contractual clauses (SCC)

During the past months, we had an overview on personal data protection and privacy topics several times.

We had a focus indeed on Swiss FADP (LPD-DSG) and EU GDPR requirements. 

Today we are going to take a closer look to a big threat, taken so seriously by the Swiss lawmaker. The transfer of personal data to a country without an adequate level of data protection on its laws. 

In particular we will show you the relevance of the role of standard contractual clauses (SCC) on this matter. 

The Federal Data Protection and Information Commissioner provisions

As is known, on August 27th, 2021 the Federal Data Protection and Information Commissioner of Switzerland (FDPIC) has released provisions concerning the transfer of personal data to a country with an inadequate level of data protection, based on recognised standard contractual clauses (SCC) and model contracts.

The FDPIC (the Swiss Data Protection Authority) commented on the issue of non-EU transfers, focusing more specifically on the SCCs approved by the European Commission.

In fact, the FDPIC has officially recognised the standard contractual clauses as a legitimate condition for the transfer of personal data to those countries that do not have an adequate level of data protection, albeit with due care and modification.

More precisely, the FDPIC - in its ruling - distinguishes the hypothesis of the transfer to which only the Swiss law on data protection applies (and which, therefore, has no connection with the GDPR), from the hypothesis in which the GDPR applies to the processing pursuant to Article 3(2), but the exporter is a Data Controller or Manager located in Switzerland (and therefore subject to Swiss law).

In this case - according to the FDPIC - the parties may choose whether to draw up two separate agreements (one under GDPR and the other under Swiss data protection law) or to refer to a single regime, subjecting all transfers to GDPR standards, but providing for the appropriate adjustments.   

Andrea Leonardi (Vice President of MGS) 

Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe the itSMF Newsletter
DISCOVER THE EVENT CALENDAR
Enter the itSMF Membership Program

itSMF Staff