AWS in Switzerland and Austria (Alps)
Using AWS in Light of the New Swiss Data Protection Act
Switzerland has fully revised its Federal Act on Data Protection, which came into force on September 1, 2023, together with the new Data Protection Ordinance (nFADP).
This blog provides a brief overview of the changes to Switzerland’s data protection regime and confirms that AWS customers can continue to use AWS services in compliance with the nFADP because AWS offers (1) multiple technical, organizational and contractual measures that allow customers to protect their data when using AWS services , and (2) a Swiss Addendum to the AWS Data Processing Addendum (AWS DPA) that together address the contractual requirements of the nFADP.
The revisions to the nFADP were mostly intended to align it more closely with the EU GDPR (GDPR). So, in broad terms – and with a few exceptions – compliance with the GDPR continues to ensure compliance with the nFADP.
Key changes in the nFADP include the scope of application, which is now limited to data of individuals (and not data of legal entities anymore), the introduction of new protections for biometric and genetic data, and the principles of “privacy by design” and “privacy by default”. New obligations include providing information to data subjects about data collection, keeping records of processing activities and carrying out data protection impact assessments, as well as breach notification obligations. Potential sanctions have also become stricter, and the Swiss Federal Data Protection and Information Commissioner has more competencies.
With AWS, customers manage the privacy controls of their data, control how their content is being used, who has access to it, and how it is encrypted. To find out more about the measures, tools and services AWS offers to meet requirements of the nFADP, customers can visit the Data Protection and Privacy at AWS page. The page sets out AWS’s commitments on data sovereignty, security, data privacy, and data controls and residency.
The AWS DPA sets out AWS’s commitments with respect to processing of personal data uploaded to the AWS services under a customer’s AWS account (Customer Data), and the Swiss Addendum to this AWS DPA addresses the specific requirements under the nFADP. The AWS DPA and the Swiss Addendum are both incorporated in the AWS Service Terms (Section 1.14) and apply automatically when customer’s use of the AWS services is subject to the nFADP.
The Swiss Addendum also includes the Standard Contractual Clauses (SCCs) adopted by the European Commission and amended as required by the Swiss Federal Data Protection and Information Commissioner. As is set out in the Swiss Addendum, the SCCs will automatically apply whenever a customer uses AWS services to transfer Customer Data subject to the nFADP to countries outside Switzerland not recognised under the nFADP as providing an adequate level of protection for personal data.
The AWS Europe (Zurich) Region empowers customers with the flexibility to run applications on a secure and reliable cloud infrastructure while maintaining local data residency and providing the lowest possible latency for Swiss end-users.
Swiss customers also benefit from AWS’s adherence to the CISPE Code of conduct. The CISPE Code goes beyond compliance with the GDPR or the nFADP by requiring cloud infrastructure service providers to give customers the choice to use services to store and process Customer Data exclusively in the European Economic Area (EEA). AWS has initially declared over 100 services under the CISPE Code and is committed to bringing additional AWS services into the scope of the CISPE compliance program. For further information, see this blog.
In addition to providing customers with a number of tools and services to build nFADP-compliant environments, AWS has achieved a number of internationally recognized certifications and accreditations. AWS has demonstrated compliance with third-party assurance frameworks such as ISO 27001, ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1 and SOC 1, SOC 2, and SOC 3 (see also AWS Compliance Programs).
To learn more about AWS’s compliance, security programs and common privacy and data protection considerations, see AWS Compliance Programs and Using AWS in the Context of Common Privacy and Data Protection Considerations.