The new data privacy framework between Switzerland and the United States was approved by the Federal Council on August 14.
This guarantees the secure exchange of personal data between Switzerland and US-certified companies.
As we all know, the new Federal Act on Data Protection (FADP) lays down fairly strict conditions for the transfer of personal data abroad. In particular, the United States is not considered by the Federal Council as a country that guarantees a sufficient level of protection for the processing of personal data.
However, as of September 15, this new DPF will enable personal data to be transferred from Switzerland to a US-based company that has signed up to the DPF, without any additional guarantees.
Please note! The DPF applies only to self-certified companies, which can be found on the official website: https://www.dataprivacyframework.gov/ .
So what to do in practice?
As a general rule, before transferring personal data abroad, it is necessary to ensure that the other principles/obligations of the Federal Act on Data Protection (FADP) are respected, namely lawfulness, proportionality, purpose, privacy by design and by default, and security.
Next, go to https://www.dataprivacyframework.gov/ and check whether the company to which you wish to transfer personal data has signed up to the DPF (a simple search will do the trick), and whether the type of data to be transferred is covered by the DPF (HR and non-HR data).
The contract between EPFL and the US company in question can therefore be simplified, as it is no longer necessary to have specific clauses signed, in particular the Standard Contractual Clauses (or SCCs) approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC). However, it is recommended to include in the contract (1) a contractual commitment by the US company to sign SCCs in the event of invalidation of the DPF (2) the US company must maintain DPF certification, or at least inform EPFL if this is no longer the case (in which case the transfer must be renegotiated).
What if the American company isn’t DPF-certified?
In this case, a transfer of personal data between Switzerland and the USA can only take place on the basis of adequate contractual guarantees, such as SCCs approved by the FDPIC or, in limited cases, on the basis of the other conditions set out in art. 17 FADP.
Does the DPF make it possible to escape the restrictive conditions of “official secrecy” (art. 320 of the Swiss Criminal Code)?
Alas, no! The DPF in no way alters the obligation of EPFL staff to respect official secrecy. In the case of data processing subject to official secrecy, the data processor is obliged to maintain secrecy as an auxiliary within the meaning of art. 320 of the Swiss Criminal Code, and this clause must be included in the contractual documents (it is already present in our document “Data processing agreement”).
Is it necessary to renegotiate contracts with American companies that are already our partners?
Pragmatically, there’s no need to renegotiate existing contracts, especially if they already include Standard Contract Clauses (SCCs).
And if I haven’t understood the above but I need to sign a contract with an American company, who can help me?
Contact the Purchasing Department or [email protected] for questions relating to a research project. These EPFL departments are in contact with the DPO for questions relating to data protection. Please note that if research projects are subject to special conditions or authorizations from funding bodies or cantonal ethics commissions (e.g. HRA), a case-by-case analysis must be carried out beforehand.