In this regard, not much has changed compared with the old Data Protection Act. However, as a company you are now no longer responsible for assessing whether or not data protection is implemented sufficiently in other countries. It is now the responsibility of the Federal Council to determine which countries implement a suitable level of data protection. The transfer of personal data to countries on this list is permitted without further measures.
According to Swiss legislation, it is enough for personal data to be transferred or made available. However – as in accordance with the GDPR – it is not required for the data to be transferred abroad for the purpose of further processing. This means that every case of transmission of personal data abroad must be reviewed in advance, even if the data is not subjected to further processing abroad.
Are there exceptions?
If you want to transfer personal data to a country that is not on the list of the Federal Council, the law provides for various options for how suitable data protection can still be ensured. For example, this could be binding regulations inside the company, standard data clauses or contracts. However, these must be submitted to the Federal Data Protection and Information Commissioner (FDPIC) for information or approval in advance.
The law provides for additional exceptions, such as the explicit consent of the affected parties. If the data subjects grant their consent for their data to be transferred abroad, then you must document this consent in writing.