Switzerland and Schrems II – Policy Paper by the FDPIC

The Swiss Federal Data Protection Commissioner (FDPIC, or in German “EDÖB”) published the policy paper below on the impact of Schrems II.

A third party high-level summary (in German) is provided here: https://datenrecht.ch/edoeb-stellungnahme-zu-schrems-ii/

“Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection”

From the policy paper_
4.1 Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be ex-panded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.

b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities.18 It must also be considered whether the foreign recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the SCCs concerning the obligation to cooperate are negated.

c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.