Skip to Content

Data Protection II - GDPR from a Marketing Perspective

February 22, 2025 by
Data Protection II - GDPR from a Marketing Perspective
pdc Marketing + Information Technology AG, Stefan Isliker
| No comments yet

Nutty Problem of Using US Software Services – Is There an Easier Way?

Part 2 - see also Blog 1 "Why it is worth processing Swiss personal data in Switzerland"

In our connected world, it is sometimes forgotten that the apparent ease of global data flows is legally anything but straightforward. Recent laws for the protection of personal data, such as the EU General Data Protection Regulation (GDPR), the new Swiss Data Protection Act (nDSG), and parallel regulations like PIPL (China) and CCPA (California) with their stricter requirements, combined with the increasingly consistent enforcement of compliance by authorities and courts, lead to a gauntlet of ever-higher hurdles and steadily increasing risks.

This article outlines the legal requirements currently in place in Switzerland for the data protection-compliant use of SaaS (Software-as-a-Service) services from providers in the USA, such as Salesforce or Mailchimp. At the end of the article, there is also a sort of cheat code for how to make it easier.

1.           "How do you feel about the insecure foreign countries?" – the crucial question regarding the transfer of personal data abroad

When it comes to cross-border data transfers, much revolves around the legislation of the destination country. The exporter must check where the service provider (= importer) is located abroad.

Is he in the EU, in the EEA, in the UK, or in another country that is recognized by Switzerland as a state with was recognized as having sufficient legal data protection, the transfer of data is less problematisch. Die Federal Data Protection and Information Commissioner of Switzerland Public Information Officer (FDPIC), currently issues a list on which these states are recorded (the so-called "list of states," accessible hier under the keyword "list of countries"). After the revision of the Swiss Datenschutzrechtes wird der Bundesrat darüber entscheiden, welche Länder einen angemessenen Schutz gewähren.

If, on the other hand, it involves the so-called unsafe foreign countries (which particularly include the USA, India, China, Ukraine, and most other states worldwide), a transfer is only possible under certain conditions. Permissible (see also the graphic Flowchart of the FDPIC):

§   First, a DTIA must be created that details the planned data transfer in the specific case (see 2.1 below);

§    then the transfer must be secured with contractual arrangements (Standard Contractual Clauses) (see 2.2 below);

§    Additionally, any necessary additional measures (see 2.3 below) should be implemented for protection.

Only if one concludes, after considering these examinations, contracts, and other measures in a final overall assessment, that the data is now adequately protected, is the transfer subsequently possible.

If the lack of legal protection cannot be compensated for by such contracts and measures, data transfer is illegal and carries the corresponding non-compliance risks, such as personal (!) fines of up to CHF 10,000 or CHF 250,000 (nDSG), corporate fines of up to 20 million or more (within the scope of the GDPR), loss of good reputation (i.e., criminal record), administrative bans, damage to image, etc.

2.                   The individual steps and measures

2.1                DTIA – Data Transfer Impact Assessment

First, the specific data transfer must be considered:

§    What personal data is being transmitted?

§    Who are the affected individuals?

§    To which recipient?

§    Which subcontractors does this one have?

§    For what purpose are the data being transferred?

§    Which law is the recipient subject to?

§    Are there government access options under this law (which is particularly the case for "Electronic Communication Service Providers" in the USA, under which most US cloud providers are likely to fall) and are there adequate legal remedies against such access (which, according to the assessment of the FDPIC, is not the case in the USA)?

§    Are the four guarantees in that country ensured regarding access by the authorities of the destination country (Clear legal basis, necessity and proportionality, effective legal remedies, and adequate access to a court)?

These questions are to be documented in the context of a formal report, a "Data Transfer Impact Assessment" (DTIA).

If the four guarantees are ensured, the conclusion of standard contractual clauses is sufficient to secure the transfer. If they are not ensured, additional measures should be examined and implemented as a substitute for the missing guarantees. If these measures also do not help, then a data transfer is unlawful with the aforementioned consequences if it is carried out anyway.

2.2                Standard Contractual Clauses ("SCC")

The SCC refers to standardized contractual clauses issued by the EU Commission, which have been recognized by the EDÖB for use in Switzerland. However, to reflect the specifics of Swiss data protection law, the EDÖB requires that certain additions be made, which are implemented in practice through a corresponding annex.

2.3                Additional Measures

When it comes to additional measures, there are basically no limits to creativity. However, we are generally talking about encryption or similar mechanisms that are intended to effectively prevent ongoing access by the provider (or the authorities in its country of residence).

3.                   Cheat-Code

Whether there is a deeper intention behind these tightening measures in law and practice to promote data nationalism, or whether it is truly about protecting personal data, which is becoming increasingly central in our digital world, remains to be seen. The fact is that in this regulatory environment that is difficult to navigate, local data storage becomes the trump card:

If you have the choice between two providers, one of which is located in the USA (i.e., an uncertain foreign country) and the other in Switzerland, the EU, or the EEA (i.e., domestic or a secure foreign country), it is much less effort to choose the local provider.

The cheat code is therefore basically as simple as it is trendy:

Buy local.

It should be noted that it is not simply a local branch of a US corporation, as this could lead to prohibited data transfers due to surveillance laws that indirectly apply to its parent company in the US, which ultimately falls back on the client, as they have not taken sufficient measures to protect the data.


on behalf of Stefan Isliker

Author: Kaj Seidl-Nussbaumer Probst Partner AG

SHARE BLOG
OUR BLOGS
Sign in to leave a comment
Read Next
Data Protection I - Processing of Swiss Personal Data in Switzerland