According to Art. 16 ff. FADP, personal data may only be disclosed to a recipient abroad (including via access to a server in Switzerland) if the level of data protection in that country is similar to that in Switzerland. To this end, the Federal Council draws up a list of countries that, from a Swiss perspective, offer a sufficient level of data protection and publishes this list in Annex 1 of the Data Protection Ordinance (DPO). This provision does not apply if personal data is made generally accessible to the public by automated information and communication services (in particular the internet), even if the data is accessible from abroad (Art. 18 FADP). If a third country does not have an equivalent level of data protection to Switzerland, data export is still permitted if the Swiss data exporter contractually agrees with the foreign data recipient to comply with Swiss data protection standards. The most commonly used contracts for this purpose are the Standard Contractual Clauses (SCC) of the European Commission, which are available for both processors and controllers as recipients.
Since the EU in particular considers the level of data protection in the very important trading partner USA to be insufficient, the EU and Switzerland have created a special solution with the USA. In the EU-Swiss–U.S. Data Privacy Framework (EU-Swiss–U.S. DPF) agreement, the EU, Switzerland and the USA have defined data protection standards. When US companies join this agreement, they commit to complying with the relevant standards. This ensures that the transfer of personal data to these companies is subject to the same high level of data protection required by Art. 6 ff. FADP. The US companies that have joined the agreement can be found at the following link: https://www.dataprivacyframework.gov/list.
On 15 September 2024, the EU-Swiss–U.S. DPF also came into force for Switzerland, after the Federal Council passed a corresponding adequacy decision on 14 August 2024. This decision states that certified US companies guarantee an adequate level of data protection within the meaning of the Swiss Data Protection Act (FADP) (s. media release dated 14 August 2024).