Switzerland
Summary
Law: Federal Act on Data Protection 1992 ('FADP')
Regulator: Federal Data Protection and Information Commissioner ('FDPIC')
Summary: A revised version of the FADP was adopted on 25 September 2020 (only available in German here, in French here, and in Italian here), and it broadly seeks alignment with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The revised FADP, alongside the final ordinance on data protection and an ordinance on data protection certifications, entered into force on 1 September 2023, which constituted a one-year transition period for organisations to ensure compliance.
Beyond general data protection regulation, the financial sector in Switzerland presents special interest as it is subject to different layers of regulation including data protection laws. Switzerland has also been recognised by the EU as providing adequate protection of data, and has a data transfer agreement with the US in the form of the Swiss-US Privacy Shield. However, the FDPIC recently noted that the Swiss-US Privacy Shield does not guarantee adequate protection for transfers of data to the US.
Furthermore, following the adoption of new Standard Contractual Clauses ('SCCs') for international data transfers by the European Commission in June 2021, the FDPIC announced, on 27 August 2021, that the EU's SCCs could be used for transfers under Swiss law, subject to certain necessary adaptations and amendments.