1 Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.
2 In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:
a. sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad;
b. the data subject has consented in the specific case;
c. the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;
d. disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
e. disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;
f. the data subject has made the data generally accessible and has not expressly prohibited its processing;
g. disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
3 The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26) must be informed of the safeguards under paragraph 2 letter a and the data protection rules under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide information.