As of August 27, 2021, the FDPIC has issued the Revised standard contractual clauses (SCC) is recognized in principle (cf. Communication; no permalink). However, the new SCC only allow the disclosure of personal data to countries without adequate protection “provided that the necessary adjustments and additions are made for use under Swiss data protection law.” What is specifically meant by this is clear from a Working paper of the FDPIC with the same date (PDF).
The starting point of the FDPIC is the fact that the exporter may be subject to the DPA and the GDPR at the same time when disclosing abroad. In the latter case, the exporter cannot change the SCC itself, but must still ensure that Swiss concerns are taken into account. The FDPIC therefore distinguishes between the following constellations:
- Disclosure based on the new SCC is subject only to the DPA. Here, the exporter would have to designate the FDPIC as the competent supervisory authority. In addition, he would have to provide in an annex to the SCC that the term “Member State” in the SCC (also) means Switzerland, that references to the GDPR are to be understood as references to the DPA, and that the new SCC also protect legal persons until the revDSG enters into force (questionable in my opinion, because the law of the recipient state may well “adequately” protect such data, even if not necessarily through local data protection law). Otherwise, however, the exporter is relatively free, and it can in particular also subject the SCC to Swiss law and the jurisdiction of Swiss courts, which the GDPR does not permit for the new SCC.
- Disclosure is subject to both the DPA and the GDPR. Here, the exporter has two options: He can provide for separate SCCs for the DPA and for the GDPR (i.e. he can provide that a different regime applies to exports under the DPA than to those under the GDPR). Or it may provide that the GDPR applies to the disclosure as a whole – this is permissible because the GDPR conveys adequate protection. But even then, the exporter cannot ignore the requirements of the GDPR. Rather, he would have to provide in an annex also in this case that the FDPIC is competent in parallel to the competent EEA authority, that Switzerland is also to be considered as a Member State within the meaning of the SCC and that the SCC provisionally also apply to data of legal persons.
The annexes required by the FDPIC correspond more or less to what Swiss exporters have often already agreed today as adaptations of the “old” SCC, but in my opinion on a voluntary basis.
It should be added that the FDPIC – like the SCC – refers to “Member States”; however, in addition to the Member States of the EU, it is correct to also include the EEA States included, especially since the GDPR applies directly in the EEA and the references to the Member States in the GDPR must therefore also mean the other EEA states. The parties may therefore also choose the jurisdiction of a Liechtenstein court within the scope of the GDPR and subject the SCC to Liechtenstein law.
The old standard contractual clauses, the TBDFA (Swiss Transborder Data Flow Agreement) and the Council of Europe’s model contract can still be until 27 September 2021 used and reported to the FDPIC. After that, they are no longer recognized. However, they may be used during a transitional period until December 31, 2022 remain in use, provided that the “data processing” (probably: the disclosure) and the contract do not change significantly in the meantime. After that, however, exporters must have switched to the new SCC (unless they want to use a different transfer tool). A new TBDFA does not exist yet, but is in progress.