Switzerland Adequacy Decision
of 26 July 2000
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland
(notified under document number C(2000) 2304)
(Text with EEA relevance)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof,
(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member State's laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and in respect of given conditions. The Working Party on Protection of Individuals with regard to the processing of Personal Data established under that Directive has issued guidance on the making of such assessments(2).
(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out and any decision based on Article 25(6) of Directive 95/46/EC should be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.
(5) As regards the Swiss Confederation, the legal standards on the protection of personal data have binding legal effect at both Federal and cantonal level.
(6) The Federal Constitution, which was amended by referendum on 18 April 1999 and which entered into force on 1 January 2000, gives every person the right to have his privacy respected and, in particular, to be protected from the misuse of data concerning him. The Federal Court has, on the basis of the previous Constitution, which did not contain any such provision, developed a case-law laying down the general principles applicable to the processing of personal data concerning, in particular, the quality of the data processed, the right of access of the persons concerned, and the right to request the correction or destruction of data. These principles are binding both on the Federation and on each canton.
(7) The Swiss Data Protection Act of 19 June 1992 entered into force on 1 July 1993. The implementing rules for certain provisions of the Act concerning, in particular, the right of access of the persons concerned, the notification of processing operations to the independent supervisory authority, and the transfer of data to a foreign country were laid down by order of the Federal Council. The Act applies to the processing of personal data by Federal bodies and by the entire private sector, and to processing operations carried out by cantonal bodies pursuant to Federal law, where such processing is not subject to cantonal provisions on data protection.
(8) Most of the cantons have adopted legislation on data protection for the areas for which they are competent, in particular public hospitals, education, direct cantonal taxes and the police. In the remaining cantons, such data processing is governed by regulatory acts or by the principles of cantonal case-law. Whatever the source and content of the cantonal provisions, or even if no cantonal provisions exist, cantons must adhere to the constitutional principles. In their field of responsibility, the cantonal authorities may have to transfer personal data to public authorities in neighbouring countries, mainly for the purpose of mutual assistance to safeguard important public interests or, in the case of public hospitals, to protect the vital interest of the persons concerned.
(9) On 2 October 1997, Switzerland ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108)(3), which aims to reinforce the protection of personal data and to ensure free circulation between the contracting parties, subject to any exceptions which these parties may provide for. Without being directly applicable, the Convention lays down the international commitments of both the Federation and the cantons. These commitments concern not only the basic principles of protection which each contracting party must implement in its internal law but also the mechanisms of cooperation between the contracting parties. In particular, the competent Swiss authorities must provide the authorities of the other contracting parties which so request with any information on the law and administrative practice regarding data protection, and with information on any specific instance of automatic processing of data. They must also assist any person residing abroad in exercising his right to be informed about the existence of processing operations on data concerning him, the right to access his data or to ask for them to be corrected or deleted, and the right of judicial remedy.
(10) The legal standards applicable in Switzerland cover all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authorities, such as the Federal Commissioner invested with powers of investigation and intervention. Furthermore, the provisions of Swiss law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons concerned.
(11) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(12) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered Opinions on the level of protection provided by Swiss law which have been taken into account in the preparation of this Decision(4).
(13) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC,
HAS ADOPTED THIS DECISION: