The Swiss Federal Council has added the U.S. to the list of countries with an adequate level of data protection. Effective September 15, 2024, U.S. organizations that certify to the Swiss–U.S. Data Privacy Framework (DPF) can commence receiving transfers of personal data from Switzerland without implementing additional safeguards.
While U.S. organizations were permitted to certify to the DPF as early as July 10, 2023, transfers of personal data to the U.S. solely in reliance on the Swiss-U.S. DPF were delayed until Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. Transfers to certified organizations required additional safeguards (e.g., standard contractual clauses). With a formal adequacy decision, transfers to U.S. companies certified to the DPF may now proceed without additional safeguards.
Similar to the invalidated Swiss-U.S. Privacy Shield, the Swiss-U.S. Data Privacy Framework is administered by the U.S. Department of Commerce, and U.S. organizations must certify to participate. The certification process includes submitting an application and a privacy policy conforming to the Swiss-U.S. DPF Principles, certifying adherence to the Swiss-U.S. DPF Principles, and identifying an independent recourse mechanism. Transferred personal data subject to the DPF includes HR-related data, client or customer data, and personal data collected in the business-to-business context. For purposes of the DPF, a transfer means not only a transmission of personal data from Switzerland to the U.S. but access to personal data in Switzerland (e.g., in a server) from the U.S.
If you have questions about transatlantic transfers of personal data or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group. For more information on the Swiss-U.S. Data Privacy Framework, please see our earlier blog post.