On the basis of Article 45 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)), the European Commission determines whether a country outside the European Union (EU) offers an adequate level of data protection. The European Commission then issues an adequacy decision and carries out periodic reviews to ensure that an adequate level of data protection is still guaranteed.
The effect of an adequacy decision is that personal data can flow from the EU (and from Norway, Liechtenstein and Iceland, which, as members of the European Economic Area (EEA), are also subject to the GDPR) to a third country without any additional safeguards being required.
To date, the European Commission has recognised several countries as offering adequate protection. Switzerland was granted an adequacy decision on 26 July 2000, and Swiss data protection law has of course evolved in the meantime to continue to ensure a high level of data protection. The Federal Act on Data Protection and its implementing ordinances were revised to strengthen data protection, firstly to respond to the rapid development of new technologies and secondly to take account of international developments, in particular the reforms carried out by the European Union and the Council of Europe in this field.
In spring 2019, the European Commission launched a new assessment of the adequacy of Switzerland. A report on the maintenance of adequacy decisions with regard to several third countries, including Switzerland, is due to be published shortly.
Last modification 11.07.2023
