Recognition by Switzerland of States that guarantee an adequate level of data protection

Under the FADP in force from September 2023, the Federal Council is responsible for deciding whether a State, a territory, a specific sector in a State or an international body offers an adequate level of data protection. The task of assessing the adequacy of the level of protection falls to the Federal Office of Justice.

Article 8 of the DPO sets out a number of criteria that must be taken into account in the assessments:
a. international obligations, in particular in relation to data protection;
b. the rule of law and respect for human rights;
c. the legislation applicable, in particular to data protection, its implementation and the relevant case law;
d. data subjects’ rights and redress are effectively guaranteed;
e. the effective functioning of one or more independent authorities that are responsible for data protection and that have sufficient powers and responsibilities.

Annex 1 to the DPO contains a list of States with an adequate level of data protection. This list, which is binding, is reproduced in the table below.

It should be noted that under the FADP in force until August 2023, the Federal Data Protection and Information Commissioner (FDPIC) had drawn up a list of States offering an adequate level of data protection, but it was still up to the data exporter to assess whether data was adequately protected in another State and to ensure that the data concerned was in fact protected. This is no longer the case under the new regime.

List of States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection

State, territory, specified sector within a State or international body

Additional information and documentation:

Germany*

 

Andorra***

 

Argentina***

 

Austria*

 

Belgium*

 

Bulgaria***

 

Canada***

An adequate level of data protection is guaranteed if the Canadian Federal Act on Personal Information Protection and Electronic Documents of 13 April 2000 or the act of a Canadian province that largely corresponds to this Federal Act applies to the private sphere. The Federal Act applies to personal data that is collected, processed or disclosed in the course of commercial activities, irrespective of whether it relates to organisations such as associations, partnerships, individuals or trade unions or undertakings regulated by federal law such as facilities, works, undertakings or business activities that fall within the legislative authority of the Canadian Parliament. The provinces of Quebec, British Columbia and Alberta have issued an act that largely corresponds to the Federal Act; the provinces of Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia have issued an act that largely corresponds to this act in relation to health data. In all Canadian provinces, the Federal Act applies to all personal data that are collected, processed or disclosed by undertakings regulated by federal law, including data on employees of these undertakings. The Federal Act also applies to personal data transferred to another province or another country in the course of commercial activities.

Cyprus***

 

Croatia***

 

Denmark*

 

Spain*

 

Estonia*

 

Finland*

 

France*

 

Gibraltar***

 

Greece*

 

Guernsey***

 

Hungary*

 

Isle of Man***

 

Faroe Islands***

 

Ireland***

 

Iceland*

 

Israel***

 

Italy*

 

Jersey***

 

Latvia*

 

Liechtenstein*

 

Lithuania*

 

Luxembourg*

 

Malta*

 

Monaco***

 

Norway*

 

New Zealand***

 

Netherlands*

 

Poland*

 

Portugal*

 

Czech Republic*

 

Romania***

 

United Kingdom**

 

Slovakia*

 

Slovenia*

 

Sweden*

 

Uruguay***

 

United States***

An adequate level of protection is deemed to be guaranteed for personal data processed by organisations certified in accordance with the Swiss-U.S. Data Privacy Framework Principles[1], under the safeguards granted by Executive Order 14086 of 7 October 2022[2], by Regulation on the Data Protection Review Court issued by the U.S. Attorney General on 7 October 2022[3], by Intelligence Community Directive 126 (the implementation procedures for the intelligence redress mechanism under Executive Order 14086) issued by the Office of the Director of National Intelligence on 6 December 2022[4], and by the designation of Switzerland on 7 June 2024 as a State benefiting from a two-tier redress mechanism, including access to the Data Protection Review Court[5].

[1] The Principles are available at the following address:
www.dataprivacyframework.gov/s/framework-text?tabset-c1491=3

[2] Executive Order 14086 is available at the following address:
www.state.gov/executive-order-14086-policy-and-procedures/

[3] The Regulation is available at the following address:
www.federalregister.gov/documents/2022/10/14/2022-22234/data-protection-review-court

[4] The Directive is available at the following address:
www.dni.gov/files/documents/ICD/ICD_126-Implementation-Procedures-for-SIGINT-Redress-Mechanism.pdf

[5] The designation is available at the following address:
www.justice.gov/opcl/media/1355326/dl?inline

* The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with Directive (EU) 2016/680 (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89).

** The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with an implementing decision of the European Commission in which the adequacy of data protection is established in accordance with Directive (EU) 2016/680.

*** The assessment of the adequacy of data protection does not include the disclosure of personal data in terms of the cooperation provided for under Directive (EU) 2016/680.

 
Table: Updated to 15 September 2024

Last modification 15.09.2024

Top of page