LawFlash

Switzerland Publishes Adequacy List of Countries Receiving Personal Data Transfers

September 23, 2022

The Swiss government has drafted a proposed list of countries that are approved to receive personal data transfers out of Switzerland. Japan and South Korea are excluded from the current and proposed lists, requiring businesses from those countries to abide by specific legal safeguards for such data transfers.

It is crucial that international data transfers always comply with the data transfer rules of the sending and receiving countries.

The European Union has issued a list of countries that it deems “adequate” for international data transfers, meaning that personal data transfers out of the EU member states to recipients in the listed countries are allowed without legal privacy restrictions. The legal situation for data transfers out of Switzerland is similar, but not identical.

The current EU list includes Argentina, Canada (commercial organizations), Israel, Japan, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay, together with a few small territories/countries. For a recipient country not on the list, data transfers out of the European Union need specific legal safeguards, such as the 2021 Standard Contractual Clauses (SCCs) approved by the European Commission, plus their annexes. Read our separate analysis on the SCCs.

Transfers from Switzerland

The Swiss government (Bundesrat) has published its own list of adequate countries for international data transfers under Article 16 of the new Swiss Data Protection Act, which will enter into force in 2023. The list is annexed to a new ordinance of the Bundesrat, the Ordinance to the Federal Data Protection Act. It still requires the approval of the Swiss Federal Parliament.

The Ordinance to the Federal Data Protection Act lists the following countries/territories as “adequate” to receive personal data transfers out of Switzerland:

Andorra

Argentina

Austria

Belgium

Bulgaria

Canada (commercial organizations)

Croatia

Cyprus

Czech Republic

Denmark

Estonia

Faroe Islands

Finland

France

Germany

Gibraltar

Greece

Guernsey

Hungary

Iceland

Ireland

Isle of Man

Israel

Italy

Jersey

Latvia

Liechtenstein

Lithuania

Luxembourg

Malta

Monaco

Netherlands

New Zealand

Norway

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

United Kingdom

Uruguay

 

Significant Differences from EU Adequacy List

Most notably, Japan and South Korea are missing on the Swiss list. Japan and South Korea are also not on Switzerland’s current (2021) list. As a result, EU-based, but not Swiss, companies benefit from the unrestricted data flow with Japan and South Korea. Businesses with data transfers from Switzerland to Japan or South Korea will need Swiss SCCs.

The Swiss Data Protection Authority has Australia listed as a state where "adequate protection may be provided under certain conditions."

The latest Bundesrat list takes effect September 1, 2023, but could be adjusted before then, particularly if the US-European Trans-Atlantic Data Privacy Framework comes into being and Switzerland joins it.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Washington, DC
Tokyo/New York