Cross-Border Data
Transfers (Swiss Addendum)
Secure your global data supply chain from Switzerland. We architect lawful cross-border data flows using the Swiss Addendum to EU SCCs and rigorous Transfer Impact Assessments (TIAs) to satisfy FDPIC requirements and avoid CHF 250k personal fines.
The Post-revFADP Transfer Landscape
As a non-EU member state, Switzerland maintains its own sovereign framework for international data transfers. Under the revised Federal Act on Data Protection (revFADP), transferring personal data outside of Switzerland is strictly regulated. If you use cloud servers in the US, offshore IT support in India, or share HR data with a parent company in Australia, you are executing a restricted cross-border transfer.
The FDPIC has aligned heavily with the European Schrems II ruling. It is no longer sufficient to simply sign a boilerplate contract. Organizations must now analytically prove that the destination country's legal system does not undermine the contractual protections—a process known as a Transfer Impact Assessment (TIA).
Navigating Articles 16 and 17
The Swiss framework operates on a hierarchy of transfer mechanisms:
- Adequacy (Article 16): Transfers to countries approved by the Swiss Federal Council (e.g., EU/EEA nations, the UK, and entities certified under the Swiss-US DPF) can proceed without additional safeguards.
- Appropriate Safeguards (Article 16(2)): If there is no adequacy decision, you must use safeguards like the EU SCCs combined with the Swiss Addendum, or Binding Corporate Rules (BCRs).
- Derogations (Article 17): Exceptional, one-off transfers based on explicit consent or contract necessity. These cannot be used for routine, systematic transfers.
Applicable Legal Framework
Statutory Mandates (revFADP / DSG)
- Article 16: Cross-border disclosure
Data may only be disclosed abroad if the Federal Council has determined adequate protection, or if appropriate safeguards (like data protection clauses) are implemented. - Article 17: Exemptions
Specific derogations for transfers lacking adequacy or safeguards, such as explicit consent. Highly restricted in scope. - Article 19: Privacy Notices
You must actively inform data subjects of the countries to which data is transferred and the safeguards relied upon. - Article 61(a): Criminal Liability
Willful disclosure of personal data abroad in violation of Articles 16 and 17 carries a personal criminal fine of up to CHF 250,000 against the responsible individuals.
Our Implementation Strategy
We eliminate the complexity of cross-border data compliance, providing a unified strategy for multinational organizations operating in or out of Switzerland.
Data Flow Mapping
We dissect your IT architecture and supply chain to identify every instance of data leaving Switzerland, categorizing them by destination and importer role.
Mechanism Selection
We determine the most efficient legal route: Federal Council Adequacy, the Swiss-US DPF, or utilizing the EU SCCs combined with the Swiss Addendum.
Transfer Impact Assessments (TIA)
Our legal team conducts rigorous TIAs analyzing destination-country surveillance laws and judicial redress, ensuring compliance with FDPIC standards.
Supplementary Measures
Where a TIA identifies unacceptable risk, we prescribe technical (e.g., encryption architectures) and organisational measures to render the transfer lawful.
Transferring Swiss Data on Old Contracts?
Using outdated SCCs or transferring data without a TIA exposes executives to CHF 250k personal fines under Article 61. Immediate remediation is required.
Request Contract RepaperingWho Needs This Service?
In the modern cloud economy, almost every enterprise transfers data internationally. This service is critical for:
- SaaS & Cloud Reliant Businesses: Using AWS, Google Cloud, Salesforce, or Hubspot servers located outside Switzerland/EEA.
- Multinational Groups: Sharing HR, payroll, or customer CRM data between a Swiss subsidiary and a parent company in the US, Asia, or UK.
- Outsourcing Hubs: Utilizing customer support, development, or IT administration teams located in countries without FDPIC adequacy (e.g., India).
Enforcement Risks: Personal Liability
A common mistake is believing that signing the EU SCCs covers Swiss data automatically. It does not. Without the Swiss Addendum properly appended, the transfer is legally void under the revFADP.
More critically, the failure to conduct a documented Transfer Impact Assessment (TIA) prior to signing the clauses is a direct infringement. If the FDPIC discovers unlawful international transfers, they will not merely issue a corporate warning; they are legally bound to refer willful violations of Article 16 to the cantonal prosecution authorities for personal fines (Article 61).
Frequently Asked Questions
Clarifying Swiss cross-border transfer rules.
What are the rules for cross-border data transfers from Switzerland?
Under Article 16 of the revFADP, personal data may only be transferred abroad if the Federal Council has determined that the destination country's legislation guarantees adequate data protection. If there is no adequacy decision, transfers require appropriate safeguards, such as Standard Contractual Clauses (SCCs) adapted for Switzerland.
Which countries are considered 'adequate' by Switzerland?
The Swiss Federal Council maintains a binding list of adequate countries in Annex 1 of the Data Protection Ordinance (DPO). This includes the EU/EEA countries, the UK, Japan, and recently, organizations in the USA certified under the Swiss-US Data Privacy Framework.
What is the Swiss Addendum to the EU SCCs?
Instead of drafting an entirely new Swiss contract, the FDPIC recognized the new EU Standard Contractual Clauses (2021 SCCs). However, to use them for Swiss data, you must append a 'Swiss Addendum' that modifies the EU clauses to ensure they govern transfers under the revFADP, protecting Swiss personality rights.
Do we need to do a Transfer Impact Assessment (TIA) in Switzerland?
Yes. Switzerland follows the logic of the EU's Schrems II ruling. Even if you sign the EU SCCs + Swiss Addendum, you must conduct a formal risk assessment (TIA) to verify that the foreign country's surveillance laws do not override the contractual protections.
Does the Swiss-US Data Privacy Framework apply to us?
If you transfer data to a US company, you must check if that specific company is actively certified under the Swiss-US Data Privacy Framework (not just the EU-US one). If they are, you do not need SCCs or a TIA for that specific transfer. If they are not, strict safeguards apply.
Can we transfer data just by getting user consent?
Article 17 allows transfers based on explicit consent, but this is a derogation. It is only valid for specific, non-routine transfers. You cannot use consent as a legal workaround for structural, ongoing data transfers to cloud hosting providers or foreign CRM systems.
What happens if we fail to implement these safeguards?
Unlawful cross-border transfers are a severe violation of the revFADP. Under Article 61(a), anyone who willfully transfers personal data abroad without ensuring adequate protection or implementing safeguards can face personal criminal fines of up to CHF 250,000.
Do we need to notify the FDPIC when we use SCCs?
Under the revFADP, if you use the pre-approved EU SCCs combined with the FDPIC-recognized Swiss Addendum, you do not need to notify the FDPIC. However, if you draft bespoke data protection clauses, they must be approved by the FDPIC in advance.
Fortify Your International Operations
Ensure your cross-border data flows are legally watertight under the revFADP. Let our Swiss experts handle your SCC Addendums and Transfer Impact Assessments to shield your executives from liability.
Book a Transfer ConsultationDisclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the revFADP (DSG), are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.