Swiss DPA’s New Data Transfer Rules in 2025: How to Stay Compliant

Switzerland’s new Model Contractual Clauses (MCCs) and Standard Contractual Clauses (SCCs) for international data transfers are now in effect. If your business transfers Swiss personal data to the U.S. or other non-adequate countries, you must comply with the latest Federal Act on Data Protection (FADP) requirements. Learn what’s changed, how it impacts GDPR compliance, and what steps you need to take to avoid legal risks in 2025.

3/13/20252 min read

red and white sail boat on water near city buildings during daytime
red and white sail boat on water near city buildings during daytime

Swiss DPA Introduces New Model Clauses for International Data Transfers – What You Need to Know

A Major Update for Cross-Border Data Transfers

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has introduced new Model Contractual Clauses (MCCs) and adaptations to Standard Contractual Clauses (SCCs) for international data transfers. These updates align with the latest Federal Act on Data Protection (FADP) and bring Swiss regulations closer to the EU's General Data Protection Regulation (GDPR).

For businesses handling personal data transfers from Switzerland to countries without an "adequate" level of protection, this marks a significant change. The FDPIC now recognizes specific contractual clauses that must be integrated into data transfer agreements.

Why This Matters for Your Business

From September 15, 2024, the United States will be included in Switzerland’s list of "adequate" countries—but only for companies certified under the Swiss-U.S. Data Privacy Framework. If your business transfers Swiss personal data to non-certified U.S. companies or other non-adequate jurisdictions, you must rely on the newly updated SCCs or MCCs.

Key Changes and Requirements

  1. Adaptation of EU SCCs to Swiss Law

    • The FDPIC recognizes the EU’s SCCs (2021/914/EU) but requires specific modifications to ensure compliance with Swiss data protection law.

    • Data exporters must determine whether only the FADP applies or if the GDPR also plays a role.

    • Swiss data subjects must have the right to bring claims in Swiss courts.

  2. Supervisory Authority Adjustments

    • When the FADP applies, the FDPIC is the competent authority.

    • If the GDPR also applies, a dual supervisory structure (FDPIC + an EU data protection authority) must be defined.

  3. Contractual Law and Jurisdiction Choices

    • For Swiss-only transfers, Swiss law should govern disputes.

    • If GDPR also applies, an EU member state’s law must be included for certain disputes.

    • Swiss data subjects must be allowed to enforce their rights in Switzerland.

  4. New Model Contractual Clauses (MCCs) under Convention 108+

    • Recognized by the FDPIC, these clauses apply to transfers between controllers and processors in non-adequate third countries.

What Should Businesses Do Now?

  • Review your existing data transfer agreements to ensure compliance with the latest Swiss DPA requirements.

  • Update SCCs to include Swiss-specific modifications and consider whether both FADP and GDPR apply to your data flows.

  • Check if your U.S. partners are certified under the Swiss-U.S. Data Privacy Framework—if not, ensure appropriate safeguards are in place.

  • Implement the newly approved MCCs when dealing with transfers under Convention 108+.

Final Thoughts

Switzerland’s new data transfer rules represent an important shift toward stronger data protection standards while maintaining alignment with EU and international privacy frameworks. Businesses must act now to ensure compliance and avoid potential enforcement actions.

If your company relies on cross-border data transfers, now is the time to revisit your contractual safeguards and ensure they align with the latest Swiss requirements.