Both Swiss FADP and GDPR may apply
The starting point of the FDPIC’s guidance is the fact that the company which intends to transfer personal data to a third country (exporter) may be subject to the Swiss Federal Data Protection Act (FADP) and the GDPR at the same time. In the latter case, the exporter cannot change the SCC itself but must also ensure that requirements under Swiss data protection law are taken into account. The FDPIC therefore distinguishes between the following two scenarios:
Scenario 1 - Transfer solely subject to FADP
Where the transfer is solely subject to the FADP, the exporter must mandatorily designate the FDPIC as the competent supervisory authority and choose either Switzerland or the law of a country that grants third party beneficiary rights as governing law. In Scenario 1, the exporter and importer (parties) may freely choose the forum and jurisdiction. Therefore, the parties may opt for Swiss courts, which would not be possible if the transfer is also subject to the GDPR. Moreover, the parties must supplement the SCC with an annex including wording which states that references to the GDPR are to be interpreted as references to the FADP.
Scenario 2 - Transfer subject to FADP and GDPR
If the transfer is subject to both the FADP and the GDPR, the exporter has two options. Option A provides the parties with a rather pragmatic approach which adopts the GDPR as the standard for all international transfers, including the ones that are subject to the FADP. Consequently, the governing law will be the law of an EU member state, and any dispute arising from the SCC must be resolved by the courts of an EU member state. In option B, the parties opt to conclude two sets of SCC, one that governs the international transfer subject to Swiss data protection law, and a separate set which governs international transfers that are subject to the GDPR.
However, both options will entail parallel supervision. As a consequence, the parties must include wording in the corresponding annex of the SCC stipulating that the FDPIC is responsible in parallel to the competent EU supervisory authority.
Annex required in both scenarios
In both scenarios, the SCC must entail an annex stating that the term ‘member state’ should not be interpreted in a way that would preclude data subjects in Switzerland to enforce their rights at their place of habitual residence. Furthermore, the annex must include wording which specifies that the SCC also protect the data of legal entities until the entry into force of the revised FADP.
Going forward
As of 27 September 2021, the old EU SCC, the Swiss Transborder Data Flow Agreement (TBDFA), and the Council of Europe model contract can no longer be agreed and notified to the FDPIC. While these transfer mechanisms are no longer recognised for new agreements, they can continue to be relied upon during a transitional period until 31 December 2022, provided that the international transfer and the contract do not change significantly in the meantime. As of 1 January 2023, exporters must have switched to the new SCC, unless they want to rely on a different transfer tool, such as the new TBDFA which will be drafted in the near future.
Overall, the recognition of the new EU SCC and the corresponding guidance of the FDPIC provide exporters with some flexibility with regard to international transfers from Switzerland to third countries. Particularly companies with an establishment in Switzerland and the EU may benefit from the flexible approach taken by the FDPIC. However, it will in any case be necessary to include an annex to the SCC which reflects the requirements according to Swiss data protection law. Furthermore, in line with current Swiss data protection law, exporters must notify the FDPIC in general terms about the use of the new SCC. This obligation to notify the FDPIC will cease to exist once the revised FADP entered into force, which is likely to occur in mid-2022.
