15 January 2024 – On January 15, 2024, the European Commission published the report on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of the Data Protection Directive 95/46/EC and confirmed the adequacy of Swiss data protection law. This means that personal data can continue to be transferred from the EU/EEA to Switzerland without additional requirements.

The EU first recognized the level of data protection in Switzerland as adequate in 2000. Following the entry into force of the EU General Data Protection Regulation (GDPR) in 2018, the EU Commission launched a reassessment of the adequacy of several countries in spring 2019, including the adequacy of Switzerland’s level of data protection.

The EU Commission has now confirmed, on the basis of the revised Swiss Federal Act on Data Protection that entered into force on 1 September 2023, that Switzerland’s data protection law is essentially in line with the GDPR, taking into account the EU Charter of Fundamental Rights and the legal standards set by the Court of Justice of the EU in its decisions Schrems I and Schrems II. 

In summary, the EU Commission welcomed the developments in the Swiss legal framework since the adoption of the first adequacy decision and stated that the revised Federal Act on Data Protection has further increased the convergence with the EU’s data protection framework, notably with respect to the protections for sensitive data and the rules on international data transfers. In the area of government access to personal data, the EU Commission concluded that Swiss public authorities are subject to clear, precise and accessible rules. The EU Commission also welcomed that Switzerland strengthened its international commitments in the field of data protection by ratifying Convention 108+ in September 2023. 

Personal data from the EU and the EEA can therefore continue to be transferred to Switzerland without the need for additional guarantees (such as, e.g., standard contractual clauses or binding corporate rules). As the EU is Switzerland’s largest trading partner, the unbureaucratic cross-border transfer of personal data is crucial for Switzerland as a business location. 

The Commission will continue to monitor the development of the data protection framework and practice and, where appropriate, may use its powers under Article 45 par. 5 GDPR to suspend, amend or withdraw the adequacy decision if negative developments affect the level of data protection.