- Transmission of personal data to the parent company is considered disclosure to third parties and is subject to Swiss data protection law for cross-border transfers.
- Three alternatives are required for transfers to the USA: US-Swiss Safer Harbor certification, an appropriate contract or the consent of the data subject.
- For recipient countries with adequate data protection, there is no additional effort, but there is still an obligation to inform employees (transparency principle).
The transfer of personal data from the subsidiary to the parent company constitutes a disclosure of data to a third party, and the rules of the Data Protection Act for the cross-border disclosure of personal data must be followed. Depending on the location of the parent company, different precautions must be taken for data disclosure from Switzerland. Particularly in the case of data disclosure to the USA, which has been the subject of particularly frequent inquiries, three conditions must alternatively be met because the USA does not guarantee sufficient data protection. Either the data-receiving company has certified itself to the U.S. Department of Commerce in accordance with the “U.S.-Swiss Safer Harbor Framework”, or a contract has been concluded that guarantees adequate data protection, or the data subjects have consented. If the data-receiving company is located in a state that guarantees adequate data protection, the disclosure from Switzerland can be made without these precautions. In principle, however, the transparency principle also applies here. The employees of the Swiss subsidiary must be informed about the data disclosure abroad.
Source: FDPIC – Centralization of human resources abroad