On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) informed that it recognizes the new EU standard contractual clauses published by the European Commission on June 4, 2021 as standard clauses under the Swiss Data Protection Act (DPA). Hence, companies exporting personal data from Switzerland may use the new SCC for their data exports from Switzerland. In the following, we summarize the key takeaways resulting from the FDPIC’s decision.

What follows from the FDPIC’s acknowledgment of August 27, 2021?

The FDPIC recognized the new SCC as standard clauses acceptable for data exports from Switzerland. This means that Swiss companies may in principle use the new SCC as basis for exports of personal data from Switzerland to third countries without adequate data protection laws. As a result of this acknowledgment, companies relying on the new SCC are exempt from the requirement to notify the FDPIC of the use of the new SCC for each transfer; instead, it will be sufficient for them to inform the FDPIC in a general manner that they rely on the new SCC when exporting personal data to third countries.

Is the transition to the new SCC mandatory for Swiss companies?

The new SCC, as well as the old SCC, are just one of several means to provide for sufficient safeguards when exporting personal data from Switzerland to third countries without adequate data protection laws. Hence, using the SCC is not mandatory per se. However, using alternative contractual safeguards requires a case-by-case notification to and examination by the FDPIC, which makes their use and administration burdensome. Thus, from a practical standpoint, using the new SCC will often be the only feasible basis for exports of personal data to third countries where no exception provided for in the DPA to justify the export without contractual safeguards applies.

Moreover, it is to be expected that the FDPIC will not accept the continued use of the old SCC as alternative contractual safeguards for exports of personal data to third countries. Thus, even if the transition to the new SCC is not as such mandatory, the old SCC will no longer be regarded as sufficient by the FDPIC. Hence, action will be required in any case where existing agreements that rely on the old SCC shall continue beyond the end of 2022 (cf. below re timeline).

What is the timeline to implement the new SCC?

The FDPIC’s acknowledgment comes right in time, as many companies are amidst the transition to the new SCC, which become binding in the EU as from September 27, 2021. Swiss companies will be relieved to hear that the Swiss timeline is largely aligned with the one applicable in the EU, simplifying the coordination of the transition activities in the EU and in Switzerland:

• As from September 27, 2021, the old SCC will no longer be acknowledged by the FDPIC as standard clauses providing for sufficient safeguards for data exports to third countries from Switzerland. Accordingly, as from that date, new or amended agreements governing exports of personal data from Switzerland to third countries should no longer rely on the old SCC as basis to provide adequate data protection safeguards. The same applies with respect to other standard contractual safeguards previously acknowledged by the FDPIC – namely the Swiss Transborder Data Flow Agreement (for outsourcing of data processing) as well as the template agreement of the European Council – which were however not frequently used in practice.
• There will be a transition period until the end of 2022 for existing agreements based on the old SCC, provided that the relevant processing activities they govern and the agreements as such remain substantially unchanged: Companies may continue to rely on such existing agreements until December 31, 2022. As from January 1, 2023, these agreements will have to be updated to incorporate the new SCC or, as the case may be, other acceptable safeguards.

Do the new SCC need to be adapted for use in Switzerland?

According to the FDPIC, the SCC require only minor clarifications to account for the DPA. In particular, the FDPIC asks for clarifications to be added (1) that references to EU member states in the SCC shall not be interpreted in such a way that data subjects in Switzerland are excluded from exercising their rights at their habitual residence in Switzerland,[1] and (2) that the SCC also protect data pertaining to legal entities as long as the current Swiss DPA remains in force.[2] In addition, companies need to clarify (3) that the FDPIC is the competent authority for the purposes of the DPA.

These clarifications may be included in an addendum to the SCC that applies insofar as the DPA is concerned. This way, the addition would not conflict with the general rule stipulated in the SCC that the SCC as such must not be amended in order to constitute a valid basis for transfers under the GDPR.

Beyond that, the FDPIC acknowledges in principle that the new SCC can be used unchanged for data transfers that are governed by the DPA and the GDPR at the same time. This will facilitate implementation work for Swiss companies.

Can we simply replace references to the old SCC in existing agreements to references to the new SCC?

The transition to the new SCC requires more complex adjustments to existing agreements than just this. This is because the new SCC are substantially different from the old SCC in terms of content and structure, so that they cannot simply be replaced in agreements by way of an addendum replacing references to the old SCC by such to the new SCC.

First, the new SCC implement a modular approach and replace all three previous sets of SCC (i.e., the two different sets of SCC for controller-to-controller transfers and the third set for controller-to-processor transfers). When implementing the new SCC, the parties will have to agree on which module(s) apply to the relevant data export. Specifically, the new SCC include four modules governing different types of transfers, as follows:

• Module 1: controller-to-controller transfers;
• Module 2: controller-to-processor (and potential sub-processors) transfers;
• Module 3: processor-to-processor (and potential sub-processors) transfers; and
• Module 4: processor-to-controller transfers.

Second, the new SCC include additional rules and govern further topics than the old SCC that need to be considered when adjusting existing agreements. In particular, modules 2 and 3 governing transfers to processors include processor terms, which may conflict with existing agreements. Further, the new SCC implement the requirement to perform a transfer impact assessment to help companies deal with the requirements resulting from last year’s Schrems II decision of the CJEU (cf. below and our Bulletin of July 16, 2020). Moreover, the new SCC include provisions governing liability and certain representations to be made by the parties. All this means that existing agreements will often have to be reviewed one-by-one to assess the potential impact of the transition to the new SCC and to identify the specific adjustments needed.

Third, the new SCC will require additional information in their annexes, such as on the competent supervisory authority, on safeguards implemented when transferring sensitive personal data, and on the frequency of the transfer. For transfers to processors, they require the specification of the subject matter, the nature and the duration of the processing. In addition, the new SCC require a broader, more detailed and specific description of the technical and organizational measures to ensure data security than this was the case under the old SCC.

Do we need to perform a Swiss law transfer impact assessment when using the new SCC?

In its Schrems II decision, the CJEU held that the use of the SCC as a contractual basis to secure exports of personal data to third countries requires a case-by-case assessment, in particular with regard to data access rights of authorities in the country of destination (see our Bulletin of July 16, 2020). As a result, the new SCC now also require the data exporter and the data importer to undertake and document a so-called transfer impact assessment (TIA). Further, the new SCC require the parties to warrant that they have no reasons to believe that the laws and practices in place in the country of destination prevents the data importer from complying with its obligations under the SCC, and they impose an obligation on the data importer to notify the data exporter in case of access requests by authorities. Failure to comply with these obligations, may result in liability.

However, it is important to note that the new SCC as such do not overcome the structural issue identified by the CJEU in the Schrems II decision, i.e., that mandatory surveillance and government access laws may overrule the contractual obligations under the SCC. Thus, if the TIA identifies risks that are not mitigated by the SCC, additional safeguards are required in order for the data export to go forward.

From a Swiss law perspective, the FDPIC also requests a TIA to be performed. The basis for this is each data exporter’s obligation to ensure that contractual safeguards provide adequate protection for the personality of the data subjects. According to its guidance on TIAs released by the FDPIC earlier this year, companies performing a TIA need to consider (1) the specifics of the contemplated data transfer, in particular in terms of categories of personal data, data subjects, purpose of the transfer, processors and sub-processors involved (if any), and (2) the compliance of the third country’s surveillance and lawful access rights with the four essential guarantees of lawful basis, necessity and proportionality, effective legal remedies, and access to an independent and impartial court in relation to the contemplated data export. If the essential guarantees are complied with in the country of destination, the data exporter may in principle export the personal data based on the SCC. Otherwise, in addition to agreeing on the SCC, additional technical and organizational measures need to be implemented in order to ensure an adequate data protection level. In practice, it is to be expected that the Swiss law TIA will largely follow the one required by the SCC and EU data protection authorities, even though uncertainties as to regulatory practice continue to this date.

Do we need to inform the FDPIC about the transition to the new SCC?

Unlike the GDPR, the current Swiss DPA still requires companies to inform the FDPIC about their use of the SCC. While the use of non-standard contractual safeguards requires a case-by-case notification to and examination by the FDPIC, for the SCC, a general, one-time notification to the FDPIC is sufficient to cover all further uses of the SCC. This notification requirement for approved standard clauses will be abolished when the new DPA will enter into force. For the time being, however, it continues to apply.

In its August 27, 2021 communication, the FDPIC does not address the question of whether companies who have previously informed the FDPIC about their use of the old SCC need to renew this notification as they transition to the new SCC. Even though that the practical risk of fines imposed in case companies fail to notify the FDPIC of the transition from the old to the new SCC appears to be limited,[3] it is advisable to inform the FDPIC of the use of the new SCC to avoid such risk.

Is there any update as to when the new Swiss DPA enters into force?

Interestingly, the FDPIC’s communication of August 27, 2021 also provides an update on the timeline for the new Swiss DPA to enter into force: While many expected this to be in the second half of 2022, the FDPIC indicates that the new Swiss DPA will enter into force only on January 1, 2023.

It is to be noted, however, that this view of the FDPIC is not binding upon the Federal Council who will decide when the new DPA enters into force. Thus, in theory at least, it is still possible that the new DPA enters into force still in 2022.

[1]        See in particular clause 18(c) of the SCC, which refers to the right of the data subject to bring legal proceedings against the data export and/or data importer before the courts of the “Member States” in which the data subject has his/her habitual residence. The FDPIC does not want this to be interpreted as limiting the rights of data subjects with their habitual residence in Switzerland.

[2]        The current DPA still protects data pertaining to legal entities as personal data. Under the new DPA, data pertaining to legal entities will no longer constitute personal data.

[3]        According to article 34(2)(a) DPA, the failure to inform the FDPIC about the contractual safeguards relied upon when exporting personal data to third countries is a criminal offence that may result in fines of up to CHF 10,000.