Cross-Border Data Transfers Under the nFADP: A Complete Guide for Swiss SMEs

Cross-Border Data Transfers Under the nFADP: A Complete Guide for Swiss SMEs

Every Swiss business with a website, a cloud service, or an international client transfers personal data across borders — often without realising it. Since the revised Federal Act on Data Protection (nFADP / nDSG) entered into force on 1 September 2023, these transfers are subject to strict legal requirements that carry personal criminal liability for non-compliance.

This guide explains the complete legal framework for international data transfers under the nFADP, walks through each safeguard mechanism available to Swiss SMEs, and provides a practical step-by-step assessment process you can follow today.

Why Cross-Border Data Transfers Matter

When your Zurich-based marketing agency sends a newsletter through Mailchimp (servers in the US), when your Geneva accounting firm stores client files on Google Drive, or when your Basel e-commerce shop processes payments via Stripe — personal data leaves Switzerland. Under the nFADP, every one of these transfers requires a legal basis.

The stakes are not abstract. Article 63 nFADP provides for criminal fines of up to CHF 250,000 against the responsible individual — not the company. This makes Switzerland's enforcement model fundamentally different from the GDPR, where fines target the organisation. In Switzerland, the person who authorised or failed to prevent an unlawful transfer faces personal liability.

The Legal Framework: Art. 16-18 nFADP

The nFADP addresses cross-border data transfers in three key provisions:

Article 16 — Principle and Adequate Protection

Art. 16 para. 1 establishes the baseline rule: personal data may be disclosed abroad if the Federal Council has determined that the legislation of the destination country or the international body ensures an adequate level of protection. This is the simplest transfer mechanism — if the destination is on the adequacy list, no additional safeguards are needed.

Art. 16 para. 2 defines what happens when there is no adequacy decision. The controller may still transfer data if appropriate safeguards ensure adequate protection, including:

• (lit. a) An international treaty
• (lit. b) Data protection clauses in a contract between the parties, notified to the FDPIC
• (lit. c) Specific guarantees issued by the competent federal body
• (lit. d) Standard data protection clauses approved or recognised by the FDPIC — this is the SCC mechanism
• (lit. e) Binding Corporate Rules (BCRs) approved by the FDPIC

Article 17 — Derogations

When neither adequacy nor safeguards apply, Art. 17 provides a list of exceptions (derogations) that permit transfers in specific circumstances. These include explicit consent, contract performance, overriding public interest, and protection of life or physical integrity.

Article 18 — Publication of the Adequacy List

Art. 18 mandates that the Federal Council publishes the list of countries, territories, and international bodies that ensure adequate protection. The FDPIC maintains and updates this list, which is publicly available at edoeb.admin.ch.

The full legal text is available on fedlex.admin.ch — the official Swiss legislation portal.

The FDPIC Adequacy List: Which Countries Are "Adequate"?

The Federal Data Protection and Information Commissioner (FDPIC / EDÖB) publishes and maintains the list of jurisdictions whose data protection laws are considered adequate. This list is the first thing you check before any international transfer.

Countries with adequate protection (as of 2025):

• All EU/EEA member states (covered by the GDPR framework)
• United Kingdom (post-Brexit adequacy)
• Canada (for transfers subject to PIPEDA)
• Israel
• New Zealand
• Argentina
• Uruguay
• Japan
• South Korea
• Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey (small jurisdictions with dedicated data protection laws)

The United States — partial adequacy:

The US does not have a general federal data protection law comparable to the nFADP. However, the Swiss-U.S. Data Privacy Framework (DPF), effective since 15 September 2024, provides an adequacy basis for transfers to US organisations that are DPF-certified. You can verify a provider's certification at dataprivacyframework.gov.

If the US recipient is not DPF-certified, there is no adequacy, and you must rely on SCCs or another safeguard from Art. 16 para. 2.

Practical tip: Bookmark the FDPIC adequacy list and check it before onboarding any new vendor. The list is updated periodically, and countries can be added or removed. A country's adequacy status today does not guarantee its status next year.

Standard Contractual Clauses (SCCs): The Most Common Safeguard

For transfers to countries not on the adequacy list, Standard Contractual Clauses are the most widely used safeguard mechanism under Art. 16 para. 2 lit. d nFADP.

What are SCCs?

SCCs are pre-approved contractual templates that impose data protection obligations on the data importer (the foreign recipient) equivalent to Swiss law. They create a legally binding framework ensuring the importer handles personal data consistently with nFADP requirements, regardless of local law.

EU SCCs adapted for Swiss use

The FDPIC has recognised the EU Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision 2021/914) as appropriate safeguards, provided they are adapted for Swiss specifics. The required adaptations include:

1. Governing law: References to the GDPR must be supplemented with references to the nFADP
2. Supervisory authority: The competent authority must be the FDPIC (not an EU Data Protection Authority)
3. Applicable law for disputes: Swiss law must be specified for the data protection clauses
4. Scope: The SCCs must explicitly cover data subjects in Switzerland, not just EU data subjects
5. Terminology: Where the GDPR uses "controller" and "processor", the nFADP equivalents apply

Many large technology providers (Google, Microsoft, AWS, Salesforce) already include these Swiss adaptations in their Data Processing Addenda. When signing with a vendor, verify that their SCCs include the Swiss-specific amendments — a pure EU SCC without adaptation is not sufficient for nFADP compliance.

Four SCC modules

The 2021 EU SCCs use a modular structure. The relevant module depends on the parties' roles:

• Module 1: Controller to Controller
• Module 2: Controller to Processor (most common for Swiss SMEs using SaaS tools)
• Module 3: Processor to Processor
• Module 4: Processor to Controller

For a typical Swiss SME transferring customer data to a US-based SaaS provider, Module 2 (Controller to Processor) is the correct choice.

Transfer Impact Assessment (TIA)

The FDPIC expects that controllers using SCCs conduct a Transfer Impact Assessment before the transfer begins. A TIA evaluates:

• The legal framework of the destination country (surveillance laws, government access powers)
• The practical enforceability of the SCCs in that jurisdiction
• Whether supplementary measures are needed (encryption, pseudonymisation, data localisation)

For transfers to the US (non-DPF-certified recipients), a TIA is essentially mandatory. Document your assessment — the FDPIC may request it during an investigation.

Binding Corporate Rules (BCRs): For Multinational Groups

Binding Corporate Rules are internal data protection policies adopted by a multinational group of companies and approved by the FDPIC under Art. 16 para. 2 lit. e nFADP. They allow personal data to flow freely between group entities across borders.

BCRs are primarily relevant for large organisations with entities in multiple jurisdictions. For most Swiss SMEs, SCCs are the more practical and cost-effective safeguard. However, if your business is part of a corporate group with subsidiaries in non-adequate countries, BCRs may be worth exploring.

Key characteristics of BCRs:

• They must be legally binding on all group entities
• They require FDPIC approval before use
• They must include the core data protection principles (purpose limitation, data minimisation, security, data subject rights)
• They must establish internal complaint and enforcement mechanisms
• The approval process can take 12-18 months

If your parent company already has GDPR-approved BCRs, the FDPIC may recognise them with Swiss-specific amendments — similar to the SCC adaptation process.

Derogations Under Art. 17 nFADP: When No Safeguard Exists

Article 17 nFADP lists exceptions that allow transfers without adequacy decisions or contractual safeguards. These are narrow exceptions, not general permissions. The FDPIC interprets them restrictively.

Art. 17 para. 1 derogations:

• (lit. a) Explicit consent: The data subject has expressly consented to the transfer after being informed of the destination country and its data protection level. The consent must be specific to the transfer — a general privacy policy checkbox is insufficient.
• (lit. b) Contract performance: The transfer is directly necessary to perform a contract with the data subject (e.g., booking a hotel abroad, shipping a product internationally). This does not cover transfers that are merely convenient or cost-effective.
• (lit. c) Pre-contractual measures: The transfer is necessary for pre-contractual measures taken at the data subject's request.
• (lit. d) Contract between controller and third party: The transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject.
• (lit. e) Overriding public interest: The transfer is necessary for an important public interest (e.g., international judicial cooperation).
• (lit. f) Protection of life: The transfer is necessary to protect the life or physical integrity of the data subject or a third person.
• (lit. g) Public register: The data is taken from a register provided by law that is accessible to the public.

Important limitations:

• Consent-based transfers (lit. a) cannot be the primary mechanism for systematic, ongoing data flows. Consent must be freely given and can be withdrawn at any time.
• Contract necessity (lit. b) is interpreted narrowly. Using a US-based CRM because it is cheaper is not "necessary for contract performance."
• Derogations should be documented, including the specific legal basis relied upon and the reasoning for why no other safeguard mechanism was feasible.

US Data Transfers: Practical Solutions for Swiss SMEs

The United States remains the most critical and complex transfer destination for Swiss businesses. Nearly every Swiss SME uses at least one US-based service — email (Google Workspace, Microsoft 365), payments (Stripe), analytics (Google Analytics), CRM (HubSpot, Salesforce), or cloud infrastructure (AWS, Azure, GCP).

Option 1: Swiss-U.S. Data Privacy Framework (DPF)

Since September 2024, the DPF provides an adequacy basis for transfers to DPF-certified US organisations. This is the simplest solution. To rely on it:

1. Verify the recipient's DPF certification at dataprivacyframework.gov
2. Confirm the certification covers the specific data categories you transfer
3. Document the verification in your records of processing activities
4. Re-verify periodically (certifications can lapse or be withdrawn)

Most major US providers (Google, Microsoft, AWS, Meta, Salesforce, Stripe) are DPF-certified.

Option 2: SCCs + Supplementary Measures

For US providers that are not DPF-certified, SCCs adapted for Swiss use are the standard approach. Given the US surveillance landscape (FISA Section 702, Executive Order 12333), the FDPIC expects supplementary technical and organisational measures:

• Encryption: Data must be encrypted in transit (TLS 1.2+) and at rest (AES-256). The encryption keys should remain under your control or under the control of a provider in a country with adequate protection.
• Pseudonymisation: Where possible, replace direct identifiers with pseudonyms before transfer. The re-identification key must remain in Switzerland or an adequate country.
• Contractual commitments: The US provider should contractually commit to challenging government access requests and notifying you of any such requests to the extent legally permitted.
• Data minimisation: Transfer only the data strictly necessary for the processing purpose.

Option 3: Swiss hosting alternatives

For sensitive data or when supplementary measures are impractical, consider Swiss-hosted alternatives:

• Cloud: Infomaniak (Geneva), Exoscale (Swiss data centres)
• Email: Infomaniak Mail, ProtonMail (Geneva)
• Analytics: Self-hosted Matomo, Plausible (EU-hosted)

PrivaGuard is hosted exclusively on Swiss infrastructure precisely because we believe Swiss data residency is not just a compliance checkbox — it is a fundamental trust signal for your customers.

Comparison with GDPR Transfer Rules (Art. 44-49 GDPR)

Swiss SMEs that also serve EU customers often need to comply with both the nFADP and the GDPR. Understanding the differences helps avoid blind spots.

Key difference — criminal vs. administrative liability: The most consequential difference is the enforcement model. Under the GDPR, fines hit the company. Under the nFADP, fines hit the individual. A CEO or data protection officer who approves an unlawful transfer faces personal criminal liability — up to CHF 250,000.

Key difference — SCC notification: Under the nFADP, data protection clauses in contracts (Art. 16 para. 2 lit. b) must be notified to the FDPIC prior to the transfer. This is a procedural step not required under the GDPR. However, when using FDPIC-recognised SCCs (lit. d), the notification requirement is generally considered satisfied.

Cloud Services and SaaS: Practical Implications

For Swiss SMEs, cloud and SaaS providers represent the most common cross-border transfer scenario. Here is what you need to know for the major platforms:

Amazon Web Services (AWS)

AWS offers a Data Processing Addendum (DPA) that includes EU SCCs with Swiss-specific amendments. AWS is DPF-certified. If you use the EU (Frankfurt, Zurich) region, data stays in Europe/Switzerland, but AWS personnel in other countries may have access for support purposes — this still constitutes a transfer. Review AWS's sub-processor list at aws.amazon.com/compliance/sub-processors.

Microsoft Azure / Microsoft 365

Microsoft's Products and Services DPA includes SCCs and references DPF certification. Microsoft offers Swiss data residency options for certain services (Microsoft Cloud Switzerland regions in Zurich and Geneva). Even with Swiss data residency, some processing (e.g., security threat analysis) may occur outside Switzerland.

Google Cloud / Google Workspace

Google's Cloud Data Processing Addendum includes SCCs adapted for Swiss use, and Google is DPF-certified. Data location can be controlled via organisational policies. Note that Google support staff worldwide may access data for troubleshooting — documented in their sub-processor list.

Practical checklist for any cloud/SaaS provider:

1. Confirm the provider is DPF-certified (for US providers) or based in an adequate country
2. Sign the provider's DPA — do not rely on terms of service alone
3. Verify the DPA includes SCCs with Swiss adaptations if the provider is in a non-adequate country
4. Review the sub-processor list and set up notifications for changes
5. Configure data residency settings where available
6. Document everything in your processing register

Transparency Obligations: Art. 19 nFADP

Article 19 nFADP imposes information duties on the controller when collecting personal data. When data is transferred abroad, these transparency requirements become especially important.

You must inform data subjects about:

• The identity and contact details of the controller
• The purpose of the processing
• The recipients or categories of recipients of the data — including foreign recipients
• The country or countries to which data is transferred
• The safeguards ensuring adequate protection (adequacy decision, SCCs, BCRs, or derogation relied upon)

This information is typically provided in your privacy policy. For a Swiss SME, a compliant privacy policy must include a section on international data transfers listing each destination country, the category of data transferred, and the legal mechanism used.

Example clause for a privacy policy:

We transfer personal data to the following countries: United States (Google LLC — DPF-certified; Stripe Inc. — DPF-certified), Germany (Hetzner Online GmbH — EU adequacy). Where the destination country does not ensure adequate protection, we rely on Standard Contractual Clauses recognised by the FDPIC.

PrivaGuard's privacy policy generator automatically includes a transfer disclosure section based on the services you declare, with the correct legal references for each destination country.

Processors Abroad: Contract Requirements Under Art. 9 nFADP

When you engage a processor located outside Switzerland, two legal frameworks overlap: Art. 9 nFADP (processor obligations) and Art. 16 nFADP (cross-border transfer). You need both a compliant Data Processing Agreement (DPA) and a valid transfer mechanism.

What the DPA must cover (Art. 9 nFADP):

• Processing on instructions only
• Confidentiality obligations
• Technical and organisational security measures
• Sub-processor management (notification and objection rights)
• Assistance with data subject rights
• Data breach notification without undue delay
• Data return and deletion upon termination
• Audit rights

What the transfer mechanism must cover (Art. 16 nFADP):

• Adequacy confirmation (if the processor is in an adequate country)
• SCCs (if no adequacy) with Swiss adaptations
• Supplementary measures if necessary (especially for US processors without DPF)

In practice, most large SaaS providers combine the DPA and SCCs into a single Data Processing Addendum. When reviewing such documents, verify that both the Art. 9 DPA requirements and the Art. 16 transfer safeguards are addressed — a DPA without transfer clauses is incomplete, and SCCs without DPA obligations leave gaps.

Common Mistakes Swiss SMEs Make with International Transfers

Based on our experience helping Swiss businesses achieve compliance, these are the most frequent errors we see:

1. Assuming EU adequacy covers everything

Many Swiss SMEs think that because they deal mostly with EU-based providers, they do not need to worry about transfers. While the EU has adequacy status, you still need a DPA with each processor, and you still need to disclose the transfer in your privacy policy. Adequacy simplifies the transfer — it does not eliminate all obligations.

2. Ignoring sub-processor chains

Your direct vendor may be in Switzerland, but their sub-processors might be in the US, India, or the Philippines. The nFADP obligation follows the data — not just your direct contractual partner. Review sub-processor lists and ensure the entire chain is covered.

3. Relying on consent for systematic transfers

Using customer consent as the legal basis for all international transfers is a common shortcut. The FDPIC interprets consent-based derogations narrowly — consent must be specific, informed, and freely given. For systematic, ongoing data flows (e.g., all customer data flowing to a US CRM daily), consent is not an appropriate mechanism. Use SCCs instead.

4. Not conducting Transfer Impact Assessments

Since the Schrems II decision (which influenced Swiss practice even though it is an EU ruling), Transfer Impact Assessments are expected for transfers to countries with questionable surveillance laws. Failing to document a TIA leaves you without a defence if the FDPIC investigates.

5. Outdated privacy policies

Your privacy policy lists the transfer destinations and safeguards you rely on. If you add a new SaaS tool with servers in a non-adequate country, your privacy policy must be updated. Many businesses set up their privacy policy once and never revisit it.

6. Forgetting employee data

Cross-border transfer obligations apply equally to employee data. If your HR platform (Personio, BambooHR) is hosted in the US, the same Art. 16 nFADP requirements apply. Employee data is often more sensitive than customer data.

7. No DPA in place

Some SMEs use SaaS tools for years without ever signing the provider's Data Processing Addendum. The DPA is usually available in the provider's account settings or legal documentation page — it just needs to be accepted. This is a quick win for compliance.

Step-by-Step Transfer Assessment Guide

Use this process every time you onboard a new vendor, tool, or service that might involve cross-border data transfers.

Step 1: Identify the Transfer

Map the data flow. What personal data will be transferred? Where will it go? Who will receive it? A "transfer" includes not just sending data to a foreign server but also granting remote access to a foreign employee of your provider.

Step 2: Check the FDPIC Adequacy List

Is the destination country on the FDPIC adequacy list at edoeb.admin.ch?

• Yes → Proceed to Step 5 (DPA). No additional transfer safeguard is needed.
• Partially (e.g., US with DPF) → Verify the specific recipient's certification. If certified, proceed to Step 5.
• No → Proceed to Step 3.

Step 3: Select a Safeguard Mechanism

For non-adequate countries, choose the appropriate safeguard:

• SCCs (most common): Use EU 2021 SCCs with Swiss adaptations. Select the correct module (usually Module 2 for controller-to-processor transfers).
• BCRs: If the recipient is part of a multinational group with FDPIC-approved BCRs.
• Derogation (Art. 17): Only if SCCs are not feasible and a specific derogation applies (explicit consent, contract necessity, etc.). Document your reasoning.

Step 4: Conduct a Transfer Impact Assessment

For transfers relying on SCCs (especially to countries with extensive surveillance laws):

• Assess the legal framework of the destination country
• Evaluate whether the SCCs are practically enforceable
• Determine supplementary measures if necessary
• Document the assessment and your conclusions

Step 5: Sign the DPA

Ensure you have a valid Data Processing Agreement with the recipient that covers both Art. 9 nFADP (processor obligations) and the transfer safeguards from Step 3.

Step 6: Update Your Privacy Policy

Add the new transfer destination, the categories of data transferred, and the safeguard mechanism to your privacy policy's international transfer section.

Step 7: Update Your Processing Register

Record the transfer in your processing register (Art. 12 nFADP), including the destination, categories of data, purpose, and safeguard relied upon.

Step 8: Monitor and Review

• Set up sub-processor change notifications
• Re-verify DPF certifications periodically
• Review the FDPIC adequacy list for changes
• Reassess when data flows change

How PrivaGuard Helps with Cross-Border Transfer Compliance

Managing international data transfers across multiple vendors, each with different hosting locations and sub-processors, is a complex ongoing obligation. PrivaGuard simplifies this process:

• Cookie and Tracker Scanner: Our automated scanner detects third-party cookies and trackers on your website, identifies which providers they belong to, and flags transfers to non-adequate countries. You see exactly where your website sends data — before the FDPIC does.
• Privacy Policy Generator: Generate a trilingual privacy policy that includes a legally accurate international transfer section, automatically populated based on the services you declare. References to Art. 16 nFADP and the appropriate safeguard mechanisms are built in.
• Processing Register: Document all your data processing activities, including cross-border transfers, in a structured register that satisfies Art. 12 nFADP. Export as PDF for your records or for FDPIC inquiries.
• Consent Management Platform (CMP): Our nFADP-optimised consent banner ensures that cookies and trackers triggering international transfers only load after valid consent. Google Consent Mode v2 compatible, under 15 KB, and hosted in Switzerland.
• Auto-Rescan: Scheduled weekly or monthly rescans of your website detect new trackers that might introduce undocumented cross-border transfers.

Swiss data protection starts with knowing where your data goes. PrivaGuard gives you that visibility.

Conclusion

Cross-border data transfers are an unavoidable reality for Swiss SMEs in a connected economy. The nFADP does not prohibit international transfers — it requires them to be documented, safeguarded, and transparent. The legal framework under Art. 16-18 nFADP provides clear mechanisms: adequacy decisions for trusted jurisdictions, SCCs for the rest, and narrow derogations for exceptional circumstances.

The practical steps are straightforward: map your data flows, check the adequacy list, implement the right safeguards, sign your DPAs, and keep your privacy policy current. The risk of inaction is personal — up to CHF 250,000 in criminal fines against the responsible individual.

Start with a free scan of your website at privascan.ch to see where your data goes today. Then let PrivaGuard help you get compliant — and stay compliant.