On the basis of Article 45 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)), the European Commission determines whether a country outside the European Union (EU) offers an adequate level of data protection. The European Commission then issues an adequacy decision and carries out periodic reviews to ensure that an adequate level of data protection is still guaranteed.
The effect of an adequacy decision is that personal data can flow from the EU (and from Norway, Liechtenstein and Iceland, which, as members of the European Economic Area (EEA), are also subject to the GDPR) to a third country without any additional safeguards being required.
To date, the European Commission has recognised several countries as offering adequate protection. Switzerland was granted an adequacy decision on 26 July 2000, and Swiss data protection law has of course evolved in the meantime to continue to ensure a high level of data protection. The Federal Act on Data Protection and its implementing ordinances were revised to strengthen data protection, firstly to respond to the rapid development of new technologies and secondly to take account of international developments, in particular the reforms carried out by the European Union and the Council of Europe in this field.
On 15 January 2024 the European Commission published a report on the maintenance of adequacy decisions with regard to several third countries, including Switzerland, thereby confirming that Switzerland offers an adequate level of data protection.
- Commission Decision of 26 July 2000 on the adequate protection of personal data provided in Switzerland
- Commission report of 15 January 2024 confirming that Switzerland offers an adequate level of data protection
- Working document containing the country reports accompanying the Commission's report of 15 January 2024
This document doesn’t exist in English. Please see the German, French or Italian version.
Last modification 20.02.2024