Back to Blog
LegalTech & IA

Switzerland-US Data Transfers: Is the Assessment Still Needed?

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
May 29, 2026
10 min read
Switzerland-US Data Transfers: Is the Assessment Still Needed?

The New Swiss Data Protection Act and US Transfers

If you thought the Swiss-US data transfer saga was settled, think again. The revised Swiss Federal Act on Data Protection (nDSG) came into force on September 1, 2023, and it's shaking up the rules for sending personal data across the Atlantic. The big question: do you still need to conduct a transfer impact assessment (TIA) for US recipients? The short answer is yes—but with nuances.

Featured Snippet Bait: Under the nDSG, transfers to the US require an adequate level of protection. While the US-EU Data Privacy Framework (DPF) extends to Switzerland, it's not automatic. Swiss companies must verify if the US recipient is certified under the Swiss-US DPF extension, or else conduct a TIA and implement supplementary measures.

Why the Assessment Isn't Going Away

Let's be real: reading data protection laws is about as fun as cleaning grout with a toothbrush. But here's the deal—the nDSG doesn't just copy-paste the GDPR. It has its own list of countries with adequate protection, and the US isn't on it. The Federal Data Protection and Information Commissioner (FDPIC) hasn't issued a blanket adequacy decision for the US. So, unless your US partner is certified under the Swiss-US DPF, you're back to square one: a TIA.

Even with certification, the FDPIC has warned that the DPF may not fully align with Swiss law. For example, Swiss law requires a level of protection equivalent to its own, which is often stricter than the GDPR. So, don't pop the champagne yet.

What the Swiss-US Data Privacy Framework Actually Covers

The Swiss-US DPF, effective from July 2023, allows certified US companies to self-certify compliance with Swiss data protection principles. But here's the kicker: it only covers transfers to those certified entities. If you're sending data to a non-certified processor or a cloud provider that hasn't jumped through the hoops, you need a full TIA. And even with certification, you should monitor for any changes—like the FDPIC's recent statements questioning the framework's adequacy.

Practical Steps for Swiss Companies

So, what do you do? First, check if your US recipient is certified under the Swiss-US DPF. You can verify on the Data Privacy Framework website. If they are, you're good—for now. If not, you need to conduct a TIA, document it, and implement supplementary measures like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). And remember, the nDSG requires you to update your privacy notices and keep records of processing activities. It's a paperwork party, but you don't want to miss it.

FAQ

Do I need a TIA for every US transfer under the nDSG?

Not if the recipient is certified under the Swiss-US DPF. Otherwise, yes, you need a TIA and supplementary measures.

Is the Swiss-US DPF the same as the EU-US DPF?

No, it's a separate framework. The EU-US DPF doesn't automatically cover Swiss data. US companies must specifically self-certify for the Swiss extension.

What happens if I don't do a TIA?

You risk violating the nDSG, which can lead to fines up to CHF 250,000 and reputational damage. Plus, data subjects can sue for damages.

Swiss-US Transfer Assessment Likelihood

TIA Required
75%
DPF Certified
20%
Exempt (e.g., consent)
5%

Based on current FDPIC guidance and market adoption of Swiss-US DPF certification.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.