Switzerland — International Data Transfers

Switzerland's international data transfer regime is governed by Article 16 of the Federal Act on Data Protection (FADP), which entered into force on September 1, 2023 following adoption by the Swiss Parliament on September 25, 2020. The FADP replaced the 1992 Federal Data Protection Act and modernized Switzerland's data protection framework to align with the Council of Europe's Convention 108+ and the EU's General Data Protection Regulation (GDPR), though the GDPR does not formally bind Switzerland.

Article 16(1) FADP establishes the core rule: personal data may be disclosed abroad only if the Federal Council has determined that the legislation of the recipient State, territory, sector, or international body guarantees an adequate level of data protection. The Federal Council—Switzerland's executive—holds exclusive authority to make adequacy determinations; this marks a shift from the pre-2023 regime, where the Federal Data Protection and Information Commissioner (FDPIC) maintained a non-binding advisory list.

Annex 1 to the Data Protection Ordinance (DPO, SR 235.11) contains the binding list of States recognized as adequate. The DPO is the implementing regulation for the FADP. As confirmed by the FDPIC and the Federal Department of Justice, the list includes all European Union and European Economic Area member states, the United Kingdom, and—effective September 15, 2024—the United States, but only for personal data processed by companies certified under the Swiss-U.S. Data Privacy Framework. The adequacy assessment criteria are set out in Article 8 DPO, which directs the Federal Council to consider whether the foreign law incorporates principles of legality, good faith, proportionality, transparency, purpose limitation, and accuracy.

When a recipient country is not on the adequacy list, Article 16(2) FADP permits cross-border disclosure if the controller (or processor, where applicable) secures appropriate data protection through one of five mechanisms:

• Article 16(2)(a): An international treaty containing data protection guarantees (e.g., Council of Europe Convention 108+);
• Article 16(2)(b): Data protection clauses in a specific agreement between controller and recipient, which must be notified to the FDPIC before the disclosure occurs;
• Article 16(2)(c): Specific guarantees provided by the controller;
• Article 16(2)(d): Standard data protection clauses that the FDPIC has approved, issued, or recognized—no notification is required for recognized standard clauses under the post-September 2023 FADP;
• Article 16(2)(e): Binding corporate rules (BCRs), which apply to all undertakings within the same corporate group and must satisfy the requirements of Articles 9 and 10 DPO (including organizational structure details, data-subject rights provisions, and legally binding enforceability against all group members).

The FDPIC has recognized the European Commission's Standard Contractual Clauses (SCCs) under Implementing Decision (EU) 2021/914 and the Council of Europe's Model Contractual Clauses (MCCs) as valid transfer instruments under Article 16(2)(d). In its guidance dated August 27, 2021, the FDPIC specified that parties using the EU SCCs for Swiss transfers must make the following adaptations: references to the GDPR must be understood as references to the FADP, the FDPIC must be designated as the supervisory authority in Annex I.C for FADP-governed transfers, and Swiss courts must be specified as an alternative jurisdiction for data-subject claims when the data subjects are in Switzerland.

When no adequacy decision or approved safeguard is in place, cross-border disclosure may still be permitted under the derogations in Article 17 FADP, which cover scenarios such as data-subject consent, contract performance, vital interests, and public-interest processing. Article 17 is the Swiss analogue to GDPR Article 49 derogations and is intended as a fallback for exceptional, non-routine transfers.

The supervisory authority is the FDPIC, an independent federal body. Under Article 49(1) FADP, the FDPIC may open investigations into federal bodies or private persons on its own initiative or following a complaint. The FDPIC's enforcement powers under Article 51(1) include formal rulings requiring data controllers or processors to adapt, suspend, or terminate processing activities that violate the FADP.

Switzerland benefits from mutual adequacy recognition with the European Union. The EU Commission issued an adequacy decision for Switzerland in 2000 under Directive 95/46/EC; that decision remained in force during the GDPR transition. In January 2024, the EU Commission confirmed that Switzerland continues to provide an adequate level of protection under the GDPR, enabling free data flows between Switzerland and EU/EEA member states in both directions.

Source: Federal Act on Data Protection (FADP) of 25 September 2020, SR 235.1 Source: Data Protection Ordinance (DPO) of 31 August 2022, SR 235.11 Source: FDPIC, Cross-border transfer of personal data Source: FDPIC, The transfer of personal data to a country without an adequate level of data protection based on recognised standard contractual clauses and model contracts, August 27, 2021 Source: FDPIC, Adequacy Source: Swiss Federal Department of Justice, New data protection legislation

Article 17 of the Federal Act on Data Protection (FADP), which entered into force on September 1, 2023, provides a set of derogations that permit cross-border disclosure of personal data even when the destination country does not appear on the Federal Council's adequacy list (Annex 1 to the Data Protection Ordinance) and the controller has not implemented appropriate safeguards under Article 16(2) FADP. These exceptions mirror the structure of GDPR Article 49 derogations but contain certain notable differences in scope and application. Article 17 is intended as a fallback mechanism for exceptional, non-routine transfers — not as a primary transfer basis.

Article 17(1) FADP enumerates six derogations. Each applies on a case-by-case basis to specific disclosures, not to systematic or ongoing data flows. The controller or processor bears the burden of demonstrating that the conditions for the derogation are met and must inform the Federal Data Protection and Information Commissioner (FDPIC) upon request about disclosures made under certain derogations (Article 17(2) FADP).

Article 17(1)(a) — Explicit consent

Personal data may be disclosed abroad if the data subject has explicitly consented to the specific cross-border disclosure. The FADP does not define "explicit consent," but the FDPIC has interpreted it to require a clear affirmative act demonstrating informed, specific, and freely given agreement to the transfer. Consent must identify the destination country (or countries) and the risks arising from the absence of adequate protection. Unlike GDPR Article 49(1)(a), Swiss law does not explicitly require that the data subject be informed of the "possible risks" of the transfer in the statutory text itself, though the FDPIC guidance recommends such disclosure as best practice to ensure the consent is genuinely informed. Consent under Article 17(1)(a) is particularly relevant for one-time or irregular transfers where the volume and sensitivity of data do not justify implementing standard contractual clauses.

Article 17(1)(b) — Contract performance

Disclosure is permitted if it is directly connected with the conclusion or performance of a contract between the controller and the data subject, or between the controller and a third party acting in the interest of the data subject. This derogation covers, for example, international payment processing, cross-border order fulfillment, or provision of services that inherently require disclosure to a foreign service provider. The transfer must be necessary for contract performance; mere convenience or cost savings do not suffice. The FDPIC has clarified that this derogation does not extend to systematic, recurring transfers that form part of a controller's ordinary business model — those should instead rely on Article 16(2) safeguards.

Article 17(1)(c) — Legal claims and foreign authority proceedings

A significant expansion from the pre-2023 FADP, Article 17(1)(c) allows disclosure if it is necessary to establish, exercise, or enforce legal claims before a court or other competent foreign authority. The revised FADP broadened the scope from "court" alone to include "competent foreign authority," which encompasses supervisory authorities, tax authorities, criminal prosecution authorities, and regulatory bodies. This revision is particularly important for Swiss companies subject to foreign regulatory investigations (e.g., U.S. Department of Justice or Securities and Exchange Commission proceedings) or employment litigation. The derogation also permits disclosure to third parties assisting the disclosing party in the foreign proceeding, including foreign law firms, forensic accountants, and expert witnesses, provided the disclosure is necessary for the legal matter. "Necessary" means the transfer must be proportionate and limited to the data actually required for the legal claim or defense. The scope and interpretation of this derogation may continue to evolve with Swiss court decisions and further FDPIC guidance.

Article 17(1)(d) — Overriding public interest

Disclosure is permitted if it is necessary to safeguard an overriding public interest. Examples include cooperation with foreign criminal investigations (subject to applicable mutual legal assistance treaty requirements), regulatory compliance mandates, public health emergencies, or national security matters. The public interest must be overriding — a higher threshold than the "important reasons of public interest" under GDPR Article 49(1)(d). Swiss courts and the FDPIC apply a strict proportionality test, requiring that the transfer be the least intrusive means of achieving the public interest objective. Controllers relying on this derogation should document the analysis and, where feasible, consult the FDPIC in advance. As with other derogations, the precise contours of "overriding public interest" will be shaped by future enforcement decisions and court rulings.

Article 17(1)(e) — Vital interests

The controller may disclose personal data abroad if the transfer is necessary to protect the life or physical integrity of the data subject or a third party, and it is not possible to obtain the data subject's consent within a reasonable time. This is a true emergency exception — for example, cross-border medical data sharing in a trauma case or locating a missing person. The FDPIC has emphasized that "not possible to obtain consent" means genuine impossibility (unconsciousness, absence, or time constraints that would render consent-seeking futile), not mere inconvenience.

Article 17(1)(f) — Publicly accessible data

Personal data may be disclosed abroad if the data subject has made the data generally accessible (e.g., on a public-facing website, social media profile, or business directory) and has not expressly prohibited the processing. The data must be intentionally made public by the data subject, not merely discoverable through a data breach or scraping. The absence of an express prohibition is assessed at the time of disclosure; if the data subject subsequently objects, ongoing reliance on this derogation ceases. For instance, a data subject who posts a professional biography on an unrestricted public website and later issues a written objection to cross-border processing of that biography would terminate the controller's ability to invoke Article 17(1)(f) for future transfers of that data. This derogation is narrower than it may appear — the FDPIC has held that data posted on a semi-public or access-restricted platform (LinkedIn connection-only profiles, members-only forums) does not qualify as "generally accessible."

Notification and documentation requirements

Under Article 17(2) FADP, the controller or processor must inform the FDPIC upon request about disclosures made under certain derogations — specifically Article 17(1)(b)(2) (contract with a third party in the interest of the data subject), Article 17(1)(c) (legal claims), and Article 17(1)(d) (overriding public interest). The FDPIC may request such information as part of an investigation under Article 49 FADP. Controllers should maintain records documenting the factual basis for each Article 17 transfer, including the specific derogation invoked, the necessity analysis, and any notifications made.

Relationship to Article 19(4) transparency obligation

When personal data are disclosed abroad under an Article 17 derogation, Article 19(4) FADP requires the controller to inform the data subject of the destination country (or international body) and, if applicable, the safeguards under Article 16(2) or the application of an Article 17 exception. This transparency obligation applies even when the derogation itself does not require individual consent. The notification must be provided at the time of data collection, or — if the data were not collected from the data subject — within one month of receipt or at the time of disclosure, whichever is earlier (Article 19(5) FADP).

Criminal liability for non-compliant transfers

If data are disclosed abroad in violation of Articles 16 and 17 FADP, the individual responsible (typically a natural person acting on behalf of the controller, such as a director or data protection officer) may face criminal sanctions under Article 61 FADP. Intentional violations are punishable by a fine of up to CHF 250,000. Article 61 applies only to intentional breaches and does not cover the corporate entity itself — Switzerland's data protection criminal liability is personal, not enterprise-level.

Source: Federal Act on Data Protection (FADP) of 25 September 2020, SR 235.1, Articles 17, 19, 61 Source: FDPIC, Cross-border transfer of personal data

On August 14, 2024, the Swiss Federal Council issued an adequacy decision recognizing that the Swiss-US Data Privacy Framework (Swiss-US DPF) provides an adequate level of protection for personal data transfers from Switzerland to US companies certified under the DPF. The Federal Council approved a corresponding amendment to Annex 1 of the Data Protection Ordinance (SR 235.11), adding the United States to the list of countries with adequate data protection for this limited category of transfers. The amendment entered into force on September 15, 2024.

Self-certification mechanism and verification

The Swiss-US DPF operates through self-certification: US companies subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT) may certify themselves as compliant with the DPF Principles by submitting a self-certification to the International Trade Administration (ITA). The ITA maintains the Data Privacy Framework List, a publicly searchable database of certified organizations, at dataprivacyframework.gov/list. Swiss controllers and processors transferring personal data to a US recipient should verify the recipient's current certification status on the DPF List before each transfer; certification is not permanent and lapses if the company fails to complete its annual re-certification or is removed for non-compliance.

Scope and safeguards

The adequacy decision applies only to transfers to DPF-certified US companies. Transfers to non-certified US companies remain subject to the safeguards required by Article 16(2) FADP — typically standard contractual clauses (SCCs) and a transfer impact assessment — or, in exceptional cases, the derogations under Article 17 FADP. Certified companies must adhere to the DPF Principles, which include:

• Purpose limitation: The US company may process personal data only for the purposes for which it was collected.
• No onward disclosure to non-certified third parties: Disclosure to non-certified US companies or other third parties is prohibited unless the recipient also adheres to the DPF Principles.
• Data subject rights: Certified companies must provide Swiss individuals with access, correction, and deletion rights analogous to those under the FADP.
• Independent recourse mechanism: Each certified company must offer, at no cost to the data subject, access to an independent dispute resolution body for complaints about DPF compliance. The FDPIC also has authority to investigate and refer complaints.

US legal framework: Executive Order 14086 and the Attorney General designation

The Swiss adequacy assessment relied on reforms to US intelligence-gathering practices introduced by Executive Order 14086, signed by President Biden on October 7, 2022. EO 14086 imposed proportionality requirements on US intelligence activities, enhanced oversight of US intelligence services, and established a Data Protection Review Court (DPRC) to provide redress to individuals whose data is accessed by US authorities. On June 7, 2024, the US Attorney General designated Switzerland as a qualifying state for purposes of the DPRC redress mechanism, a prerequisite for the Federal Council's adequacy decision. The Federal Office of Justice completed its assessment of US data protection under the DPF on April 30, 2024, concluding that the DPF "ensures an adequate level of protection for personal data" transferred to certified US organizations.

Relationship to the EU-US DPF

The Swiss-US DPF substantially mirrors the EU-US Data Privacy Framework, which the European Commission adopted by adequacy decision on July 10, 2023. The DPF Principles are effectively identical for EU and Swiss purposes, with references to "the European Commission" and "EU DPAs" replaced by "the Swiss Federal Administration" and "the FDPIC." A US company may certify for the EU-US DPF, the Swiss-US DPF, or both; certification for one does not automatically confer certification for the other.

Practical implications and Schrems risk

From September 15, 2024, Swiss controllers may transfer personal data to DPF-certified US companies without executing SCCs or conducting a transfer impact assessment, provided the recipient remains on the DPF List at the time of transfer. However, controllers must still comply with Article 19(4) FADP transparency requirements, informing data subjects of the cross-border transfer and the adequacy basis.

Many Swiss practitioners recommend that companies retain pre-existing SCCs as a fallback for transfers to DPF-certified recipients, given the historical instability of US adequacy frameworks. The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework in Schrems I (2015) and the Privacy Shield in Schrems II (July 2020), in both cases finding that US surveillance laws and the lack of effective redress violated fundamental rights. Although CJEU rulings do not directly bind Switzerland, a future CJEU invalidation of the EU-US DPF would likely prompt the Swiss Federal Council to reassess its own adequacy decision, given the legal and technical parallels between the two frameworks. The Federal Council has committed to periodic reviews of the adequacy decision; the first review is expected within one year of the effective date.

Source: Federal Council, Swiss-US Data Privacy Framework: Certified US companies offer adequate protection for personal data, August 14, 2024 Source: FDPIC, New Swiss-US Data Privacy Framework, August 15, 2024 Source: US Department of Commerce, Secretary Raimondo Statement on Swiss-U.S. Data Privacy Framework, September 16, 2024 Source: Data Privacy Framework List Source: Data Protection Ordinance (DPO), SR 235.11

When a Swiss controller or processor transfers personal data abroad using standard contractual clauses (SCCs) under Article 16(2)(d) FADP or specific contractual data protection clauses under Article 16(2)(b) FADP to a country that does not appear on the Federal Council's adequacy list (Annex 1 to the Data Protection Ordinance), Swiss law requires a case-by-case assessment of whether the contractual safeguards alone provide adequate protection or whether supplementary measures are necessary. This requirement mirrors the European Data Protection Board's (EDPB) Recommendations 01/2020 on supplementary transfer tools following the Court of Justice of the European Union's (CJEU) judgment in Schrems II (Case C-311/18, decided July 16, 2020), which invalidated the EU-US Privacy Shield and mandated transfer impact assessments for SCC-based transfers to countries with intrusive government surveillance laws.

Legal basis and FDPIC guidance

Although neither the Federal Act on Data Protection (FADP) nor the Data Protection Ordinance (DPO) contains an express provision titled "transfer impact assessment," the Federal Data Protection and Information Commissioner (FDPIC) has interpreted Article 16(2) FADP in conjunction with Article 9(3) DPO to impose this obligation. Article 9(3) DPO provides that when the controller relies on data protection clauses in a specific agreement (Art. 16(2)(b)) or on standard data protection clauses (Art. 16(2)(d)), "the lack of adequate protection [in the recipient country] must be compensated by sufficient guarantees." This language is the statutory hook for the transfer impact assessment requirement.

The FDPIC published a detailed "Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 letters b and d FADP)" in June 2021, updated in May 2023 following entry into force of the revised FADP on September 1, 2023. The guide is structured as a flowchart-based assessment process and is available in German, French, and Italian on the FDPIC's website. The FDPIC explicitly states in its cross-border transfer guidance that "it may be necessary in some cases to supplement [data protection clauses] with technical measures if the law applicable to the recipient allows disproportionate access by the authorities."

The FDPIC has also recognized the EDPB Recommendations 01/2020 as persuasive authority for Swiss transfer impact assessments, reflecting Switzerland's policy of aligning its data protection framework with the EU GDPR to preserve mutual adequacy recognition and facilitate cross-border data flows between Switzerland and the European Economic Area.

The four-step transfer impact assessment under FDPIC guidance

The FDPIC's June 2021 / May 2023 guide prescribes a four-step assessment when using SCCs or specific contractual clauses to transfer data to a non-adequate country:

Step 1: Know your transfer. The controller must document the personal data being transferred (categories, volume, sensitivity), the purpose of the transfer, the identity and location of the data importer, any onward transfers or sub-processors, and the technical and organizational measures already in place.

Step 2: Identify the laws and practices of the destination country. The controller must assess whether the law of the destination country permits government authorities, intelligence services, or other public bodies to access the transferred personal data in a manner that would be disproportionate under Swiss or EU standards. The FDPIC guide directs particular attention to signals intercept laws (e.g., U.S. FISA Section 702, UK Investigatory Powers Act 2016, Chinese National Intelligence Law Article 7), mandatory data localization or government access requirements, and absence of independent judicial oversight or effective legal remedies for data subjects. The assessment must consider both the law on the books and documented enforcement practices.

Step 3: Assess the effectiveness of the contractual safeguards and identify gaps. The controller must determine whether the SCCs (or specific clauses) provide enforceable legal rights against the data importer, whether the importer can comply with the clauses in light of the legal obligations in the destination country, and whether the clauses contain mechanisms for suspension or termination if compliance becomes impossible. If the destination country's laws override the contractual commitments (e.g., by compelling disclosure without notice to the data exporter or data subject), the contractual safeguards alone are insufficient.

Step 4: Implement supplementary measures or suspend the transfer. If gaps are identified in Step 3, the controller must implement technical, organizational, or contractual supplementary measures to bring the level of protection up to that required by the FADP. If no effective supplementary measures can be implemented, the transfer must be suspended or terminated under Article 16(2) read together with Article 9(3) DPO.

Examples of supplementary measures

The FDPIC has not published an exhaustive list of acceptable supplementary measures, but its guidance and references to EDPB Recommendations 01/2020 indicate the following approaches are relevant:

• Technical measures: End-to-end encryption (with keys held exclusively by the data exporter or data subject), pseudonymization or anonymization prior to transfer, multi-party computation, split or distributed processing (data stored in adequate-country jurisdictions, computation in non-adequate jurisdictions without access to raw data), and technical access controls preventing the importer or local authorities from accessing personal data in clear text.

• Organizational measures: Policies requiring the data importer to challenge disproportionate government data requests and to notify the data exporter (unless legally prohibited), transparency reports disclosing the number and nature of government requests, and appointment of an independent auditor to verify compliance.

• Contractual measures: Additional contractual clauses imposing stricter security obligations, requiring the importer to exhaust all legal remedies before complying with government access requests, and providing for immediate suspension of the transfer if the importer becomes subject to a legal obligation incompatible with the SCCs. However, the FDPIC has emphasized that purely contractual measures are insufficient on their own when the destination country's law permits direct government access that bypasses the data importer's control (e.g., network taps or mandatory backdoors).

The effectiveness of supplementary measures depends heavily on the nature of the data and the processing purpose. For instance, encryption may be effective for data at rest but not for data that must be processed in clear text by the importer (e.g., customer support analysis, automated decision-making). In such cases, the controller may conclude that no effective supplementary measures exist and the transfer is unlawful under Article 16(2) FADP.

United States as a case study: post-DPF impact assessments

Following the Swiss Federal Council's adequacy decision for the Swiss-US Data Privacy Framework (effective September 15, 2024), transfers to DPF-certified US companies no longer require SCCs or a transfer impact assessment — the adequacy decision itself satisfies Article 16(1) FADP. However, transfers to non-certified US companies remain subject to Article 16(2) safeguards and the transfer impact assessment obligation.

For non-certified US recipients, the FDPIC's June 2021 guide contains a detailed questionnaire on US surveillance laws, specifically FISA Section 702 (50 U.S.C. § 1881a) and Executive Order 12333. The guide asks whether the US recipient or any sub-processor falls within the definition of an "electronic communication service provider" under FISA 702, whether the recipient is subject to Federal Trade Commission or Department of Transportation jurisdiction (a prerequisite for DPF eligibility that may also indicate FISA exposure), and whether the recipient has received National Security Letters or FISA orders in the past. If the answer to any question indicates likely exposure to US government access, the controller must implement supplementary measures — typically end-to-end encryption with exporter-held keys — or suspend the transfer.

The FDPIC's position on US transfers post-DPF mirrors that of several EU data protection authorities: certification under the DPF resolves the adequacy question, but reliance on SCCs for non-certified US recipients remains high-risk and requires robust technical safeguards. Many Swiss practitioners recommend that companies prioritize DPF-certified US vendors or, where technical encryption is feasible, implement encryption as a matter of course even when the importer is certified, to hedge against future adequacy-framework instability following potential CJEU or Swiss Federal Administrative Court challenges.

Documentation and FDPIC accountability

The FDPIC expects controllers to document the transfer impact assessment as part of their record of processing activities (Article 12 FADP) or as a standalone internal compliance document. While there is no statutory obligation to submit the assessment to the FDPIC proactively (unlike the notification requirement for Article 16(2)(b) specific agreements, which must be notified before the transfer), the FDPIC may request the documentation during an investigation under Article 49 FADP. Controllers should retain records showing:

• The identity and location of each data importer and sub-processor;
• The legal analysis of the destination country's surveillance and data access laws;
• The supplementary measures implemented (with technical specifications or contracts as attachments);
• The date of the assessment and any subsequent re-assessments (the FDPIC recommends periodic reviews, particularly when the destination country enacts new surveillance laws or when public reporting reveals changes in enforcement practices);
• The decision to proceed with, modify, or suspend the transfer.

If the FDPIC determines during an investigation that a controller transferred data to a non-adequate country without conducting a transfer impact assessment or without implementing necessary supplementary measures, the FDPIC may issue a formal ruling under Article 51(1) FADP requiring the controller to suspend the transfer, implement specified safeguards, or terminate the processing relationship. In cases of intentional non-compliance, the responsible natural person (director, data protection officer, or senior manager) may face criminal sanctions under Article 61 FADP — a fine of up to CHF 250,000.

Interaction with GDPR for dual-regulated transfers

Many Swiss controllers are also subject to the EU General Data Protection Regulation (GDPR) when they process personal data of EU/EEA residents. For these controllers, a single transfer (e.g., from Geneva to a non-adequate country) may trigger both Swiss FADP Article 16 and GDPR Chapter V requirements. The FDPIC's August 27, 2021 guidance on using EU SCCs for Swiss transfers acknowledges this dual regulation and recommends that controllers conduct a single integrated transfer impact assessment covering both Swiss and EU legal requirements, rather than duplicating the analysis. The substantive assessment criteria under FDPIC guidance and EDPB Recommendations 01/2020 are aligned, reflecting Switzerland's policy goal of maintaining compatibility with EU data protection law. Controllers should document which legal regime(s) apply to each transfer and ensure that the supervisory authority designations in the SCCs correctly identify the FDPIC (for Swiss-governed transfers) and the relevant EU/EEA data protection authority (for GDPR-governed transfers).

Source: Federal Act on Data Protection (FADP), SR 235.1, Article 16 Source: Data Protection Ordinance (DPO), SR 235.11, Article 9 Source: FDPIC, Cross-border transfer of personal data Source: FDPIC, Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 letters b and d FADP), published June 2021, updated May 2023

Binding corporate rules (BCRs) provide a mechanism for multinational corporate groups to transfer personal data across borders within the same corporate family without executing individual data transfer agreements for each intra-group transfer. Under Article 16(2)(e) of the Federal Act on Data Protection (FADP), which entered into force on September 1, 2023, personal data may be disclosed to a non-adequate country if the controller implements binding corporate rules that apply to all undertakings concerned in the same group of undertakings. This transfer basis is particularly suited to multinationals with subsidiaries, branches, or affiliates in countries that do not appear on the Federal Council's adequacy list (Annex 1 to the Data Protection Ordinance).

BCRs function as internal data protection policies that are legally binding on all entities within the corporate group, regardless of their geographic location. The rules must ensure that data subjects enjoy the same level of protection regardless of which group entity processes their data. For a Swiss controller or processor, BCRs offer administrative efficiency — once approved, the rules permit ongoing intra-group data flows without the need to execute and maintain standard contractual clauses (SCCs) with every group entity or to notify the Federal Data Protection and Information Commissioner (FDPIC) before each transfer under Article 16(2)(b) FADP.

Legal requirements under Articles 9 and 10 of the Data Protection Ordinance

Articles 9 and 10 of the Data Protection Ordinance (DPO, SR 235.11) specify the substantive and procedural requirements for BCRs. Although the text of these articles is not fully reproduced in all publicly accessible English-language summaries, the FDPIC's guidance confirms that BCRs must address the following core elements:

Article 9(1) DPO requires that BCRs specify the organizational structure of the group, including:

• The identity and contact details of each entity bound by the BCRs (controllers and processors within the group);
• The roles and responsibilities of each entity (which entities act as controllers, which as processors, and which process data on behalf of other group members);
• The categories of personal data subject to intra-group transfers and the purposes of processing;
• A description of the data flows (from which entities to which entities, covering which jurisdictions).

Article 9(2) DPO mandates that BCRs include data-subject rights provisions equivalent to those guaranteed under the FADP. The BCRs must provide data subjects with enforceable rights to:

• Access, rectification, erasure, and restriction of processing (mirroring Articles 25–28 FADP);
• Object to processing and challenge automated individual decisions (Article 21 FADP);
• Lodge complaints with the FDPIC or bring claims before Swiss courts, regardless of which group entity processes the data.

The BCRs must specify the point of contact within the corporate group (often a designated privacy officer or representative) to whom data subjects may address requests or complaints, and the procedures for responding to such requests within the statutory deadlines (typically 30 days under Article 25(5) FADP for access requests).

Article 10 DPO governs the legal enforceability and liability requirements. The BCRs must be:

• Legally binding on all entities in the group. This typically requires that the BCRs be adopted as a formal corporate policy by the ultimate parent company and that each subsidiary or affiliate execute a binding undertaking or adhesion agreement committing to comply with the rules. The FDPIC has indicated that a unilateral declaration by the parent is insufficient unless accompanied by a legally enforceable mechanism (such as contract, articles of association, or intra-group service agreement) that allows data subjects or the FDPIC to hold non-compliant group entities accountable.

• Enforceable by data subjects against any group entity that violates the BCRs. The BCRs must include a third-party beneficiary clause granting data subjects direct standing to bring claims for breach of the rules, including claims for damages under Article 32 FADP.

• Accompanied by liability provisions specifying which entity (or entities) within the group bears responsibility for damages arising from a breach of the BCRs. Many BCRs adopt a joint and several liability model, designating the Swiss data exporter (or the EU parent controller) as jointly liable with the data-importing entity, so that the data subject can seek redress from either entity.

Article 9(3) DPO cross-references the transfer impact assessment obligation: when the BCRs permit transfers to countries whose laws allow disproportionate government access to personal data, the controller must assess whether the BCRs alone provide adequate protection or whether supplementary technical or organizational measures are necessary. This requirement parallels the transfer impact assessment obligation for SCC-based transfers and reflects the post-Schrems II landscape. The FDPIC has stated that BCRs relying solely on contractual commitments are insufficient when the destination country's surveillance laws override those commitments; in such cases, the controller must implement encryption, pseudonymization, or other technical safeguards as part of the BCR framework.

FDPIC approval process and timeline

BCRs require prior approval by the FDPIC before they may be used as a transfer basis under Article 16(2)(e) FADP. The controller (or the designated lead entity within the group) must submit the BCRs to the FDPIC together with:

• A completed application form (available on the FDPIC website in German, French, and Italian);
• A copy of the BCRs in one of Switzerland's official languages (German, French, or Italian), or in English with a certified translation summary of key provisions if requested by the FDPIC;
• Documentation demonstrating the legal enforceability of the BCRs within the corporate group (e.g., board resolutions, intra-group adhesion agreements, or articles of association amendments);
• A list of all entities bound by the BCRs, their locations, and their roles (controller or processor);
• If applicable, a transfer impact assessment for transfers to non-adequate countries with intrusive surveillance laws, together with a description of any supplementary measures implemented.

The FDPIC's review timeline is not specified in the FADP or DPO, but the FDPIC has published guidance indicating that it aims to complete the review within 90 days of receiving a complete application — the same timeline that applies to approval of standard data protection clauses under Article 16(2)(d) FADP. In practice, the FDPIC may request additional information or revisions to the BCRs during the review, which extends the timeline. Controllers should allow at least four to six months from initial submission to final approval, particularly for large multinational groups with complex data flows.

The FDPIC charges a fee for BCR approval. Under Articles 58 and 59 FADP and the FDPIC's fee schedule, private controllers are charged between CHF 150 and CHF 250 per hour for the FDPIC's review work, depending on the seniority of the reviewing staff. For a typical BCR approval involving a mid-sized corporate group, fees range from CHF 5,000 to CHF 15,000. Large multinational groups with hundreds of entities or particularly complex data flows may face higher fees. The FDPIC may waive or reduce fees if the approval is deemed to be in the public interest or required minimal effort, though such waivers are rare in practice for BCR approvals.

Once the FDPIC issues a formal approval decision, the BCRs become effective and may be relied upon for all intra-group transfers covered by the rules. The approval is not time-limited, but the controller must notify the FDPIC of material changes to the BCRs (such as adding new entities to the group, expanding the scope of data processing, or amending data-subject rights provisions). Material changes require re-approval by the FDPIC before they take effect.

Recognition of EU-approved BCRs — no separate Swiss approval required

A significant streamlining provision applies to BCRs that have already been approved by a data protection authority in an adequate country. Under the FDPIC's guidance on cross-border transfers, if a corporate group's BCRs have been approved by a European Union or European Economic Area data protection authority (e.g., the Irish Data Protection Commission, the French CNIL, or the German federal or state DPAs), no separate approval from the FDPIC is required. The Swiss entities within the group may rely on the EU-approved BCRs immediately for transfers to and from Switzerland, provided the BCRs cover Switzerland and Swiss data subjects.

This mutual recognition reflects Switzerland's policy of aligning its data protection framework with the EU GDPR to preserve mutual adequacy and facilitate cross-border data flows. The FDPIC has confirmed that EU BCR approvals issued under the GDPR Article 47 consistency mechanism — wherein a lead supervisory authority coordinates approval with other EU DPAs and the European Data Protection Board (EDPB) — satisfy the Article 16(2)(e) FADP requirement. The corporate group does not need to submit the BCRs to the FDPIC for a parallel Swiss approval, though the FDPIC recommends that the group provide a courtesy notification to the FDPIC informing it that the BCRs have been approved in the EU and will be applied in Switzerland. Such notification is not legally required, but it establishes a record with the FDPIC and may expedite any future investigations or inquiries.

The mutual recognition applies only to BCRs approved by a DPA in a country on the Federal Council's adequacy list. As of June 2, 2026, the adequacy list includes all EU and EEA member states and the United Kingdom. BCRs approved by data protection authorities in non-adequate countries (e.g., the United States, China, India, Brazil outside of any formal adequacy decision) do not benefit from automatic recognition and must be submitted to the FDPIC for separate Swiss approval.

For BCRs approved in the United Kingdom under the UK GDPR and the Data Protection Act 2018, the FDPIC has confirmed that the same mutual recognition applies. UK Information Commissioner's Office (ICO) BCR approvals are recognized in Switzerland without the need for a separate FDPIC decision, provided the BCRs explicitly extend to Switzerland and Swiss data subjects.

Practical considerations and relationship to EU BCRs

Most multinational groups with operations in both Switzerland and the EU/EEA adopt a single set of BCRs covering both regimes. The EDPB has published detailed guidance on BCR content and the approval process (EDPB Guidelines 1/2022 on BCRs for controllers and WP 257 on BCRs for processors, adopted under the predecessor Article 29 Working Party and endorsed by the EDPB). Although this guidance is not formally binding on the FDPIC, Swiss practitioners treat it as persuasive authority when drafting Swiss BCRs, given the policy of alignment with the GDPR.

When drafting BCRs intended for both Swiss and EU approval, controllers should:

• Designate the FDPIC as a supervisory authority with equivalent powers to EU DPAs for BCR enforcement, including the power to investigate and issue binding rulings under Article 51 FADP;
• Specify that data subjects in Switzerland may bring claims in Swiss courts (alongside or in lieu of EU courts) for breaches of the BCRs, and that Swiss law governs claims by Swiss data subjects (or, alternatively, that the BCRs grant the data subject a choice of law and forum);
• Include Swiss-specific transparency requirements (e.g., references to Article 19 FADP's duty to inform data subjects of cross-border transfers and the safeguards in place);
• Address the transfer impact assessment requirement explicitly in the BCRs, committing the group to assess and implement supplementary measures for transfers to high-risk jurisdictions, and to document such assessments as part of the group's record of processing activities under Article 12 FADP.

For groups that already hold EU BCR approval and wish to extend coverage to Switzerland, the simplest path is to amend the existing EU BCRs to add Switzerland-specific provisions (FDPIC designation, Swiss courts, Swiss-law choice-of-law clauses for Swiss data subjects) and then either (i) seek a supplementary approval from the lead EU DPA confirming the amended BCRs also cover Switzerland, or (ii) rely on the existing EU approval and provide a courtesy notification to the FDPIC. The FDPIC has indicated that approach (ii) is acceptable provided the EU BCRs substantively comply with FADP requirements, even if they do not explicitly mention Swiss law — the key test is whether the BCRs guarantee equivalent protection to that required by the FADP.

Ongoing compliance and accountability

Once BCRs are approved and implemented, the controller (or designated lead entity) bears ongoing accountability obligations:

• Training and awareness: All employees within the group who handle personal data must be informed of the BCRs and trained on compliance, including the procedures for responding to data-subject requests and the escalation path for data security breaches.

• Monitoring and audits: The BCRs must specify a monitoring mechanism (often delegated to a group data protection officer or compliance team) to verify that all entities comply with the rules. Many BCRs require annual internal audits or external third-party audits covering a sample of group entities and data flows.

• Breach notification: Data security breaches involving intra-group transfers must be reported to the FDPIC under Article 24 FADP within 72 hours if the breach is likely to result in a high risk to the data subject's personality or fundamental rights, regardless of which group entity experienced the breach. The BCRs should specify the internal escalation procedures for breach reporting.

• Updates and re-approval: Material changes to the BCRs — such as adding new entities, expanding data categories, or amending data-subject rights provisions — require notification to the FDPIC and, in many cases, re-approval. The FDPIC has not published detailed guidance on what constitutes a "material" change, but Swiss practitioners apply the EDPB's BCR guidance by analogy: changes to the substantive protections, the scope of data processing, or the legal enforceability mechanisms are material and require re-approval; administrative updates (e.g., updating the contact details of the group privacy officer) may be notified without re-approval.

• Record-keeping: The controller must maintain records of the BCRs, the FDPIC approval decision (or the EU DPA approval decision if relying on mutual recognition), the list of bound entities, and any subsequent amendments or re-approvals as part of its record of processing activities under Article 12 FADP. The FDPIC may request these records during an investigation under Article 49 FADP.

Criminal liability for non-compliant BCR transfers

If a controller transfers personal data abroad under BCRs that have not been approved by the FDPIC (or by a DPA in an adequate country), or if the BCRs fail to satisfy the requirements of Articles 9 and 10 DPO, the transfer violates Article 16(2)(e) FADP. Article 61 FADP imposes criminal liability on the responsible natural person (director, senior manager, or data protection officer) for intentional violations of the data-disclosure-abroad rules. The penalty is a fine of up to CHF 250,000. Article 61 applies only to intentional breaches — negligent reliance on deficient BCRs, while a compliance failure, does not trigger criminal liability. However, the FDPIC may issue a formal ruling under Article 51(1) FADP requiring the controller to suspend the transfers, implement compliant safeguards, or terminate the intra-group data flows.

Source: Federal Act on Data Protection (FADP), SR 235.1, Articles 16, 61 Source: Data Protection Ordinance (DPO), SR 235.11, Articles 9, 10 Source: FDPIC, Cross-border transfer of personal data Source: FDPIC, Fees

Article 16(2)(b) of the Federal Act on Data Protection (FADP) permits cross-border disclosure of personal data to a country not on the Federal Council's adequacy list (Annex 1 to the Data Protection Ordinance) when the controller or processor uses data protection clauses in a specific agreement between the disclosing party and the foreign recipient. Unlike the GDPR, which contains no analogous pre-notification requirement for ad hoc contractual transfer mechanisms, Swiss law imposes a mandatory notification obligation to the Federal Data Protection and Information Commissioner (FDPIC) before the data is disclosed abroad. This procedural requirement is a hard deadline that practitioners must build into project timelines for cross-border data flows that cannot rely on standard contractual clauses or other Article 16(2) safeguards.

Statutory framework and distinction from standard contractual clauses

Article 16(2)(b) FADP provides that personal data may be disclosed to a non-adequate country if the controller ensures adequate protection "through data protection clauses in a contract." This provision is separate from Article 16(2)(d), which governs standard data protection clauses that the FDPIC has approved, issued, or recognized (including the European Commission's SCCs under Implementing Decision (EU) 2021/914 and the Council of Europe's Model Contractual Clauses). The distinction is critical:

• Article 16(2)(d) standard clauses: No notification to the FDPIC is required. The controller may begin transferring data immediately upon execution of the recognized SCCs, provided the clauses include the required Swiss adaptations (FDPIC designated as supervisory authority in Annex I.C, Swiss courts specified as an alternative jurisdiction for data-subject claims, references to GDPR understood as references to FADP).

• Article 16(2)(b) specific contractual clauses: The controller must notify the FDPIC before the transfer occurs. The notification is not an approval process — the FDPIC does not issue a decision permitting or prohibiting the transfer — but the controller may not disclose the data abroad until the notification has been made. The FDPIC guidance states unambiguously: "Before the data is disclosed abroad, the Federal Data Protection and Information Commissioner (FDPIC) must be notified of these clauses."

Article 16(2)(b) is intended for bespoke transfer agreements where the controller negotiates custom data protection terms with the foreign recipient rather than adopting a pre-approved template. This may occur when the recipient refuses to execute the EU SCCs (e.g., a US government contractor subject to procurement regulations that prohibit GDPR-derived choice-of-law clauses), when the transfer involves a specialized processing context not contemplated by the SCCs (e.g., cross-border clinical trial data sharing with protocol-specific safeguards), or when the controller is already party to a broader commercial agreement and embeds the data protection clauses as an annex or schedule to that agreement.

Minimum content requirements under Article 9(1) DPO

Article 9(1) of the Data Protection Ordinance (DPO, SR 235.11) prescribes the minimum substantive content that data protection clauses in a specific agreement under Article 16(2)(b) must contain. The Ordinance requires that the clauses include at least the following points:

• The requirement to apply the core data protection principles: legality, good faith, proportionality, transparency, purpose limitation, and accuracy. These are the principles set out in Articles 6–8 FADP, and the contractual clauses must bind the recipient to observe them as though it were subject to Swiss law.

• If applicable, the names of the countries or international organizations in which personal data will be onward-disclosed and the requirements for such onward disclosure. This provision addresses sub-processor chains and ensures the initial recipient cannot forward the data to a third country with weaker protections without contractual constraints.

• If the recipient is a controller (not merely a processor acting on behalf of the Swiss controller), the requirement to inform data subjects about the processing. This parallels the transparency obligations in Article 19 FADP.

• The data subjects' rights under Swiss law, including the right of access (Article 25 FADP), rectification, erasure, and objection, and the mechanism by which the data subject may exercise those rights against the foreign recipient.

• Verification and enforcement mechanisms, including the controller's right to audit the recipient's compliance with the clauses and the recipient's obligation to cooperate with such audits.

Under Article 9(2) DPO, the controller (or processor, in the case where the Swiss entity is itself a processor disclosing data to a sub-processor abroad) must take appropriate measures to ensure that the recipient complies with the contractual clauses. This goes beyond the paper obligation — the controller must implement ongoing monitoring, which may include periodic attestations, third-party audits, or technical access controls that allow the controller to verify the recipient's adherence to the data protection clauses.

Notification procedure and timing

The FDPIC has not published detailed procedural guidance on how to submit the Article 16(2)(b) notification or what information the notification must contain. The statutory text itself does not specify a notification form, and as of June 2026 the FDPIC's website does not provide a dedicated online portal for Article 16(2)(b) notifications (unlike the breach notification portal at databreach.edoeb.admin.ch). The FDPIC's cross-border transfer guidance states only that notification "must be made" before the transfer and that "responsibility for providing evidence that all necessary measures to protect the data have been taken remains with the controller" despite the notification.

In practice, Swiss data protection practitioners typically submit Article 16(2)(b) notifications by email to the FDPIC's general contact address (info@edoeb.admin.ch) or through the FDPIC's general online reporting form (available at edoeb.admin.ch/en/report-form-data-subjects, though that form is labeled "for data subjects" and may not be the optimal channel). A prudent notification should include:

• The identity and contact details of the controller (or processor, if applicable) making the disclosure;
• The identity and location of the foreign recipient;
• A description of the categories of personal data being transferred and the processing purpose;
• A copy of the data protection clauses (either as a standalone annex or embedded within the broader commercial agreement, with relevant sections highlighted);
• A summary of the supplementary measures (if any) implemented to address risks in the destination country, particularly if the recipient is located in a jurisdiction with intrusive surveillance laws (e.g., United States for non-DPF-certified companies, China under PIPL, Russia);
• The anticipated start date of the cross-border disclosure.

The FDPIC does not impose a statutory review period for Article 16(2)(b) notifications. The obligation is satisfied once the controller has transmitted the notification — the FDPIC's silence does not constitute approval or rejection. This contrasts sharply with Article 16(2)(d) standard clauses submitted for FDPIC approval, where Article 11(2) DPO requires the FDPIC to issue a decision within 90 days. For Article 16(2)(b) specific agreements, the controller may proceed with the transfer immediately after notifying the FDPIC, subject to the controller's own assessment that the clauses satisfy Article 9(1) DPO and that the transfer complies with Article 16(2) FADP.

FDPIC investigative authority and ex post enforcement

Although the notification itself is not an approval mechanism, the FDPIC retains ex post investigative and enforcement powers under Articles 49 and 51 FADP. If the FDPIC concludes — whether based on the notification itself, a data-subject complaint, or its own-initiative investigation — that the contractual clauses do not provide adequate protection or that the controller has failed to implement appropriate supplementary measures, the FDPIC may issue a formal ruling under Article 51(2) FADP prohibiting or delaying the disclosure abroad. Article 51(2) provides that the FDPIC "may delay or prohibit disclosure abroad if this violates the requirements of Article 16 or 17." Such a ruling is binding and subject to appeal to the Federal Administrative Court.

The FDPIC has not published statistics on the volume of Article 16(2)(b) notifications it receives or the frequency with which it has exercised its Article 51(2) prohibition authority. Anecdotal practitioner reports suggest that the FDPIC rarely intervenes in Article 16(2)(b) transfers unless the notification reveals a clear deficiency (e.g., clauses that omit data-subject rights entirely, or a transfer to a jurisdiction under international sanctions where adequate protection is manifestly impossible). However, the potential for FDPIC intervention creates legal risk, particularly for high-volume or sensitive data transfers, and many Swiss controllers prefer to use the recognized EU SCCs under Article 16(2)(d) whenever the recipient will accept them, thereby avoiding the notification requirement and the associated regulatory uncertainty.

Relationship to Article 9(3) DPO and transfer impact assessments

Article 16(2)(b) specific agreements are subject to the same transfer impact assessment obligation as Article 16(2)(d) standard contractual clauses when the destination country lacks adequate data protection. Article 9(3) DPO provides that when relying on data protection clauses (whether specific or standard), "the lack of adequate protection [in the recipient country] must be compensated by sufficient guarantees." This is the Swiss equivalent of the EDPB's post-Schrems II transfer impact assessment framework. The controller must assess whether the destination country's laws (particularly government surveillance and data access laws) would undermine the contractual safeguards and, if so, implement supplementary technical, organizational, or contractual measures (encryption, pseudonymization, split processing, binding commitments to challenge government requests).

The FDPIC's Guide for checking the admissibility of data transfers with reference to foreign countries (Art. 16 para. 2 letters b and d FADP), published June 2021 and updated May 2023, applies equally to Article 16(2)(b) and Article 16(2)(d) transfers. Controllers using specific contractual clauses under Article 16(2)(b) should conduct the same four-step assessment (know your transfer, identify destination-country laws, assess contractual effectiveness, implement supplementary measures) as controllers using SCCs, and should document the assessment as part of the notification submission to the FDPIC or as a standalone compliance record. Failure to conduct or document the transfer impact assessment does not invalidate the notification itself, but it exposes the controller to FDPIC enforcement action under Article 51 FADP and potential criminal liability under Article 61 FADP (intentional violations punishable by fines up to CHF 250,000).

Federal bodies and the dual notification requirement

For federal bodies (Swiss government agencies, ministries, and public-law entities subject to the federal-body provisions in Chapter 5 of the FADP), Article 16(2)(b) imposes a notification requirement parallel to that for private controllers, with an additional layer: the FDPIC guidance states that "federal bodies also have the option of attaching data protection guarantees as a condition when undertaking to cooperate with a foreign state, and transferring data to the country on that basis. Here, too, the federal body must notify the FDPIC beforehand." This applies, for example, when a Swiss federal agency enters into a memorandum of understanding with a foreign government for law-enforcement or regulatory data sharing and embeds data protection clauses in the MOU.

Federal bodies are also subject to Article 12(4) FADP, which requires them to notify the FDPIC of their records of processing activities. When a federal body relies on Article 16(2)(b) for a cross-border transfer, the ROPA notification and the Article 16(2)(b) transfer notification are separate obligations, though in practice they may be submitted together or cross-referenced.

Practical considerations and comparison to GDPR

The Article 16(2)(b) notification requirement has no direct GDPR analogue. The GDPR's Article 46 permits ad hoc contractual clauses only if they are authorized by a competent supervisory authority under Article 46(3)(a), which is a formal approval process (distinct from the recognition or adequacy-finding procedures under Article 46(2)). In contrast, the Swiss FADP does not require FDPIC approval — only notification — which is a lower procedural hurdle but leaves the substantive compliance burden entirely on the controller.

Many Swiss controllers with dual FADP/GDPR obligations (e.g., a Swiss company processing data of both Swiss residents and EU/EEA residents) find that using the recognized EU SCCs under Article 16(2)(d) is simpler and less risky than drafting bespoke Article 16(2)(b) clauses, because:

• The EU SCCs require no FDPIC notification or approval (only the Swiss-specific adaptations);
• The EU SCCs benefit from extensive EDPB and national-DPA guidance, making transfer impact assessments more straightforward;
• The EU SCCs provide legal certainty for both the Swiss FADP and GDPR compliance simultaneously.

However, Article 16(2)(b) remains essential when the recipient will not or cannot execute the EU SCCs — for instance, a U.S. state government agency subject to procurement restrictions, a Chinese state-owned enterprise subject to PIPL's prohibition on "unjust" foreign contractual clauses (PIPL Article 41), or a commercial partner that has negotiated a comprehensive services agreement and refuses to execute a separate SCC document. In those cases, the controller must draft Article 16(2)(b) clauses that meet the Article 9(1) DPO content requirements, notify the FDPIC before the transfer, and document the transfer impact assessment showing that supplementary measures (if necessary) bring the level of protection up to Swiss standards.

Record-keeping and documentation

Controllers relying on Article 16(2)(b) should retain:

• A copy of the notification submitted to the FDPIC, with transmission metadata (email sent-date or form submission timestamp) proving the notification occurred before the first data transfer;
• The executed agreement containing the data protection clauses;
• The transfer impact assessment (if the destination country is non-adequate), including the legal analysis of the destination country's surveillance and data-access laws and the description of supplementary measures implemented;
• Evidence of ongoing monitoring under Article 9(2) DPO, such as audit reports, attestations from the recipient, or logs showing the controller's verification of the recipient's compliance.

The FDPIC may request these records during an investigation under Article 49 FADP. If the controller cannot produce evidence that it notified the FDPIC before the transfer or that it conducted a transfer impact assessment, the FDPIC may issue a ruling under Article 51 FADP suspending the transfer or requiring corrective measures.

Notification vs. approval: the FDPIC's passive role

It is important to emphasize that Article 16(2)(b) notification is not an authorization or approval mechanism. The FDPIC does not issue a decision stating that the clauses are adequate or that the transfer may proceed. The notification discharges the controller's procedural obligation, but the substantive burden of ensuring that the clauses provide adequate protection remains with the controller. The FDPIC's cross-border transfer guidance states this plainly: "Despite this notification, responsibility for providing evidence that all necessary measures to protect the data have been taken remains with the controller."

This passive model contrasts with Article 16(2)(d) approval for new standard clauses (where the FDPIC must issue a decision within 90 days under Article 11(2) DPO) and with the GDPR Article 46(3)(a) authorization model (where the supervisory authority must affirmatively approve ad hoc clauses). The Swiss approach places a higher degree of legal risk on the controller — there is no "safe harbor" from FDPIC enforcement simply because the controller submitted the notification — but it allows faster deployment of cross-border transfers when the controller is confident in the adequacy of its contractual safeguards.

Source: Federal Act on Data Protection (FADP), SR 235.1, Articles 16, 49, 51, 61 Source: Data Protection Ordinance (DPO), SR 235.11, Articles 9, 11 Source: FDPIC, Cross-border transfer of personal data