European General Data Protection Regulation: New legal situation for Swiss exporters

The European General Data Protection Regulation (GDPR) has regulated the processing of personal data in the EU since 2018. A court decision now extends the scope to include personal data of EU citizens transferred to third countries. This may already be the case for Swiss SMEs when processing payments via international service providers or using cloud services.


The reason for this decision was M. Schrems' legal dispute with the Irish supervisory authority due to the unauthorized transfer of personal data by Facebook from Ireland to the parent company in the US. A suspension of the data transfer by authorities is possible. It remains to be seen whether a fine will be imposed.

Key message:

  • The GDPR applies in a third country and in the USA where access by the intelligence services of that country occurs for reasons of national security or defense. According to the GDPR, all countries outside of the EU and the EEA are so-called “third countries”, i.e. personal data may not be transferred to these countries automatically. This could also include the UK from January 1, 2021.
  • The Privacy Shield of the USA (adequacy decision of the EU Commission: adequate level of data protection for the EU) is invalid with immediate effect.
  • However, the Standard Security Clauses (SSC) still apply, if necessary with additional security measures. In a case-by-case assessment by the data importer/exporter, it must be checked whether a level of data protection equivalent to the EU exists in the destination country.

The international transfer of personal data also includes credit card data (online shop) and data in the cloud.

What do the decisions of the ECJ mean for Switzerland?

The ECJ does not pass decisions for Switzerland. But, for export-oriented companies in Switzerland, this means, as it did before Safe Harbor, that they must identify and document exports of personal data from Switzerland or Europe that they transfer to third countries without an adequacy decision. In addition, all data transfers must be checked for a data security level equivalent to that of the EU, but also whether data access to data centers is possible and the data transfers within the entire supply chain.

It must be determined whether data transfers are based only on the Privacy Shield or the SSCs or whether another legal basis applies. The CEO faces the risk of a fine from the supervisory authority of up to CHF 250,000, and an entry in the criminal record that cannot be deleted for 20 years.


Official program