AFAIK that only goes for personalized health data and other personal data collected by the government and public institutions. There's no such requirement for private companies.

peter

Incorrect. Private institutions have a duty of care with regards to personally identifiable information here in Switzerland.

More information (albiet limited in English) available here: http://www.edoeb.admin.ch/index.html?lang=en

No, you're incorrect. I didn't say they don't have to take care. There's just no requirement for private companies to keep the data in Switzerland - that would be absurd.

Peter

It is absurd, but reality. Here is the link:
http://www.edoeb.admin.ch/themen/007...x.html?lang=en

If you do transfer any data that is clearly connected to a person living here, as HR info on salary, the data has to stay in Switzerland. You can make exceptions when the employee allows you to do so. The rules explicitely say that an employee cannot give you one signature for any data any reason, but you need to discuss every single data transaction and its purpose with him. So "we want to have our server abroad" is not valid reason.

(I am 100% sure on this one as I used to work with server hosting here and have seen a presentation by some Swiss lawyers with an estimation that the vast majority of companies is actually regularly breaking the law in this area)

I know that many SME do not follow the rules. This being Switzerland, I would rather do so.

? Reading through theses documents I don't find any pointers that would make it illegal to transfer data to foreign countries.

"1 Personal data may not be transferred abroad if to do so might seriously jeopardise the personality rights of the data subject, in particular in cases when there is no legislation that can guarantee an appropriate level of protection.
2 If there is no legislation that can guarantee an appropriate (sufficient) protection, personal data can only be transferred abroad, if:"

If, and only if, the data is transferred to a country that doesn't have sufficient data protection laws, there are certain rules to follow (and doing so still enables you to transfer the data).

Here's a list of countries with their respective status:

http://www.edoeb.admin.ch/themen/007...DZz8mMps2gpKfo


Data exports to the US are allowed, as long as the company that handles the data adheres to the Safe Harbor standards. That's the case for Google:

http://www.google.com/privacypolicy.html

Also, Postini (which handles the data storage for Google Premier Apps) has two data centers in Switzerland and apparently all data from Swiss companies is stored there, so this is a non-issue from the beginning.

Peter

Hi guys

Absurd or not, as Treverus pointed out, it is indeed the law. You'll note that personal information can be transferred to the countries in Dawiz's list. For example, anywhere in the EU, or to the US if the company self certifies and a few a other small conditions are met.

However, as noted in that country list document (or at least, in the German one - my limited French makes me think it's there though), that's only for personally identifiable information pertaining to natural persons. Swiss law also enshrines the right to privacy for "juristiche Personen", or legal entities and such, which most other countries do not. Therefore, this information may not be disclosed abroad (indeed, the US-Swiss Safe Harbor agreement explicitly states that it covers natural persons).

Reading legalese can make someone's head spin, but I know of a Zürich law firm that maintains a website where the requirements are translated into simple English; check out www.dataprotection.ch for more information.

Of course, if you need help assessing the impact of Swiss requirements on your business, or implementing the appropriate controls, I'd be more than happy to further discuss with you.

Sorry, missed this one in my last response. No, the issue is not where the data is stored; it's where the data *can be* (not even *is*) accessed from. Note the definition of disclosure from the English translation of Article 235 (not legally binding, but the German is similar): "making personal data accessible, for example by permitting access, transmission or publication"

Yeah, I know the implications of that are terrifying. However, that's how it is.

Maybe if a mod reads this, he or she could split this off into a seperate thread? I don't think it's really relevant to the OP....