Switzerland-US Data Transfers: Is the Assessment Still Needed?

Table of Contents
The New Swiss Data Protection Act and US Transfers
If you thought the Swiss-US data transfer saga was settled, think again. The revised Swiss Federal Act on Data Protection (nDSG) came into force on September 1, 2023, and it's shaking up the rules for sending personal data across the Atlantic. The big question: do you still need to conduct a transfer impact assessment (TIA) for US recipients? The short answer is yes—but with nuances.
Featured Snippet Bait: Under the nDSG, transfers to the US require an adequate level of protection. While the US-EU Data Privacy Framework (DPF) extends to Switzerland, it's not automatic. Swiss companies must verify if the US recipient is certified under the Swiss-US DPF extension, or else conduct a TIA and implement supplementary measures.
Why the Assessment Isn't Going Away
Let's be real: reading data protection laws is about as fun as cleaning grout with a toothbrush. But here's the deal—the nDSG doesn't just copy-paste the GDPR. It has its own list of countries with adequate protection, and the US isn't on it. The Federal Data Protection and Information Commissioner (FDPIC) hasn't issued a blanket adequacy decision for the US. So, unless your US partner is certified under the Swiss-US DPF, you're back to square one: a TIA.
Even with certification, the FDPIC has warned that the DPF may not fully align with Swiss law. For example, Swiss law requires a level of protection equivalent to its own, which is often stricter than the GDPR. So, don't pop the champagne yet.
What the Swiss-US Data Privacy Framework Actually Covers
The Swiss-US DPF, effective from July 2023, allows certified US companies to self-certify compliance with Swiss data protection principles. But here's the kicker: it only covers transfers to those certified entities. If you're sending data to a non-certified processor or a cloud provider that hasn't jumped through the hoops, you need a full TIA. And even with certification, you should monitor for any changes—like the FDPIC's recent statements questioning the framework's adequacy.
Practical Steps for Swiss Companies
So, what do you do? First, check if your US recipient is certified under the Swiss-US DPF. You can verify on the Data Privacy Framework website. If they are, you're good—for now. If not, you need to conduct a TIA, document it, and implement supplementary measures like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). And remember, the nDSG requires you to update your privacy notices and keep records of processing activities. It's a paperwork party, but you don't want to miss it.
FAQ
Do I need a TIA for every US transfer under the nDSG?
Not if the recipient is certified under the Swiss-US DPF. Otherwise, yes, you need a TIA and supplementary measures.
Is the Swiss-US DPF the same as the EU-US DPF?
No, it's a separate framework. The EU-US DPF doesn't automatically cover Swiss data. US companies must specifically self-certify for the Swiss extension.
What happens if I don't do a TIA?
You risk violating the nDSG, which can lead to fines up to CHF 250,000 and reputational damage. Plus, data subjects can sue for damages.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now
