Cross-Border Data Transfers Between Switzerland and France: A Compliance Guide for DPOs and Vendor Managers

Personal data can be transferred in both directions between Switzerland and France without Standard Contractual Clauses (SCCs). Transfers into Switzerland rely on the EU's adequacy recognition of Switzerland; transfers into France rely on Switzerland listing all EU/EEA states as adequate. Both flows are governed by the Swiss FADP (nDSG/nLPD) and the EU GDPR. SCCs, Transfer Impact Assessments, and processor contracts only become decisive for onward transfers to non-adequate countries.

Key takeaways

• France → Switzerland: free transfer. France relies on the EU's adequacy decision for Switzerland. No SCCs, no extra safeguards.
• Switzerland → France: free transfer. France is on Switzerland's list of countries with adequate protection (Annex 1 to the Data Protection Ordinance). No SCCs.
• SCCs and a Transfer Impact Assessment (TIA) only matter for onward transfers to non-adequate third countries — most commonly US sub-processors that are not certified under a Data Privacy Framework.
• A data processing agreement is still required when you use a processor. GDPR Article 28 sets a detailed standard; Swiss FADP Article 9 is leaner. A GDPR-grade DPA satisfies both.
• Penalties differ fundamentally. The Swiss FADP fines the responsible individual up to CHF 250,000. The GDPR fines the company up to €20 million or 4% of global turnover.
• Financial-sector data carries extra duties. Swiss banking secrecy (Art. 47 Banking Act) and FINMA Circular 2018/3 are separate overlays that adequacy alone does not resolve.

Can you transfer personal data between Switzerland and France?

Yes. Personal data flows freely between Switzerland and France in both directions, with no SCCs or additional transfer safeguards for the direct leg. Each country recognises the other as providing an adequate level of data protection, so a Switzerland–France transfer is treated much like a domestic one for transfer-mechanism purposes. The obligations that remain are the ordinary ones: a lawful basis for processing, transparency, security, and a proper contract whenever a processor is involved.

The nuance that trips teams up is not the direct leg — it is what happens next. The moment data continues onward from France or Switzerland to a country without adequacy (a US analytics provider, an offshore support centre), the transfer-mechanism analysis becomes live again.

The legal framework in both directions

Switzerland–France transfers sit at the intersection of two regimes. The Swiss Federal Act on Data Protection (FADP) — known as the nDSG in German and nLPD in French, in its revised form in force since 1 September 2023 — governs the Swiss side. The EU General Data Protection Regulation (GDPR) governs the French side. Cross-border disclosure is addressed in Articles 16 to 18 FADP and in Chapter V (Articles 44–50) of the GDPR.

France → Switzerland

France can send personal data to Switzerland with no additional safeguards, because the EU recognises Switzerland as an adequate country. The European Commission first granted Switzerland adequacy in Decision 2000/518/EC of 26 July 2000. That recognition remains the operative basis today: in its review report of 15 January 2024, the Commission confirmed that Switzerland continues to provide an adequate level of protection. No new GDPR-era adequacy decision has replaced it — the 2024 text is a confirmation, not a fresh Article 45 decision. As an EU member state, France relies on this EU-level adequacy, so a France-to-Switzerland transfer requires no SCCs.

Switzerland → France

Switzerland can send personal data to France with no additional safeguards, because France is on Switzerland's adequacy list. Under Article 16(1) FADP, the Swiss Federal Council maintains a list of countries with an adequate level of protection in Annex 1 to the Data Protection Ordinance (DPO). All EU and EEA states, including France, appear on that list. Personal data may be disclosed to listed countries without a specific transfer mechanism.

One Swiss-specific point to remember: under Swiss law, granting remote access from abroad to data stored in Switzerland is itself a disclosure abroad. A French team logging into a Swiss-hosted system is a transfer, even if the data never "moves."

When do you actually need SCCs?

You need SCCs only when data is transferred to — or accessible from — a country that is not covered by an adequacy decision, and no other valid mechanism applies. For Switzerland and France specifically, that means SCCs are triggered not by the direct leg but by:

• Onward transfers to non-adequate countries — for example, a French or Swiss vendor whose sub-processor sits in a country without adequacy.
• Processors or sub-processors located in non-adequate countries, even if the contracting vendor is in France or Switzerland.
• Remote support or administration access from a non-adequate country.

Where SCCs are required out of the EU, the relevant instrument is the EU's modular Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021). The alternatives under Article 16(2) FADP and Article 46 GDPR include binding corporate rules (BCRs) and, for narrow cases, the statutory derogations (consent, contract performance, legal claims).

The "Swiss Finish" on EU SCCs

To use the EU SCCs for a transfer out of Switzerland, you must adapt them for Swiss law — the so-called "Swiss Finish." On 27 August 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC/EDÖB) recognised the EU SCCs subject to the necessary amendments. In practice the adaptations are:

• references to the GDPR are read as references to the FADP where only Swiss law applies;
• the FDPIC is named as a competent supervisory authority (alongside the EU authority where both regimes apply);
• "member state" wording must not deprive Swiss data subjects of the right to enforce at their place of habitual residence;
• governing law and forum are adapted so Switzerland can be chosen where only the FADP applies.

Switzerland has no separate national SCCs; it relies on the adapted EU clauses (and recognises the Council of Europe model clauses).

When is a Transfer Impact Assessment (TIA) required?

A TIA is required whenever you rely on SCCs or BCRs to transfer data to a non-adequate country — not for the direct Switzerland–France leg. The obligation flows from the Court of Justice's Schrems II judgment (Case C-311/18, 16 July 2020), which held that an exporter using contractual safeguards must verify whether the destination country's law provides essentially equivalent protection, and add supplementary measures where it does not. The FDPIC adopted the same logic for Switzerland and issued transfer-assessment guidance, including a US-specific questionnaire.

For Switzerland–France, a TIA on the direct transfer is unnecessary because both sides are adequate. The TIA becomes mandatory the moment an onward transfer reaches a non-adequate country — and a vendor risk programme should require one per sub-processor, documented and reproducible.

FADP Article 9 vs GDPR Article 28: processor obligations

A data processing agreement (DPA) is required whenever a controller uses a processor, but the two regimes set very different bars. GDPR Article 28 is prescriptive and detailed; FADP Article 9 is short and principle-based. If you operate under both, building to the GDPR Article 28 standard automatically satisfies the FADP.

Requirement	GDPR Article 28	FADP Article 9
Written contract	Required (including electronic form)	Recommended; not strictly mandated
Prescribed minimum content	Yes — detailed list in Art. 28(3)	None prescribed
Process on documented instructions only	Yes	Implicit (process only as the controller may)
Security measures	References Art. 32	Required (Art. 8 FADP / DPO)
Sub-processor authorisation	Prior written, specific or general	Prior approval required (Art. 9(3))
Audit / inspection rights	Express	Not prescribed
Confidentiality	Required	Required — and must not breach statutory secrecy

Under GDPR Article 28(3), the contract must cover the subject matter, duration, nature and purpose, types of data and categories of data subjects, and impose the full set of processor duties: act only on instructions, ensure confidentiality, apply Article 32 security, respect sub-processing rules, assist with data-subject rights and with Articles 32–36, delete or return data at the end of the service, and submit to audits.

Under FADP Article 9, a controller may delegate processing provided the processor only processes data as the controller itself may, and no statutory or contractual duty of confidentiality prohibits it. Article 9(3), new in the revised FADP, requires the processor to obtain the controller's prior approval before engaging a sub-processor. The FADP prescribes no minimum contractual content and no explicit audit right — which is precisely why a GDPR-grade DPA is the safer common denominator.

Onward transfers to the US: the Data Privacy Frameworks

US sub-processors are the most common reason a Switzerland–France data flow needs a transfer mechanism at all. Two frameworks govern this:

• Swiss–US Data Privacy Framework (Swiss–US DPF): operational from 15 September 2024, when the US was added to Annex 1 of the Swiss Data Protection Ordinance. Swiss organisations may transfer to DPF-certified US recipients without further safeguards.
• EU–US Data Privacy Framework (EU–US DPF): adopted by the European Commission on 10 July 2023 (Implementing Decision (EU) 2023/1795). EU exporters, including French ones, may transfer to certified US recipients without further safeguards.

Check certification before relying on either framework. A US recipient must be actively self-certified, and the certification must cover the relevant data type (HR vs non-HR). For a US recipient that is not DPF-certified, you fall back to SCCs (with the Swiss Finish for the Swiss leg), a TIA, and any necessary supplementary measures.

A status note worth tracking: the EU–US DPF was challenged and upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v Commission), on the facts as they stood when the 2023 decision was adopted. An appeal is now pending before the Court of Justice (filed 31 October 2025). The framework remains valid and usable, but prudent programmes keep SCCs ready as a fallback for US flows.

Common real-world scenarios

A SaaS vendor based in France serving Swiss customers

The France↔Switzerland flow is covered by mutual adequacy — no SCCs for that leg. The risk sits with the vendor's sub-processors: US analytics, support, or infrastructure providers. Map them, confirm DPF certification or put Swiss-Finish SCCs plus a TIA in place, and ensure the DPA reflects Article 9(3) prior approval for sub-processors. This is the scenario where vendor due diligence, not the headline transfer, does the real work.

A Swiss bank using a French processor

Data-protection law treats this as a free adequacy-based transfer — but two separate overlays apply, and adequacy does not resolve either:

• Banking secrecy (Art. 47 Banking Act). Disclosing client-identifying data to a provider abroad generally requires either the express consent of each client (typically procured through the bank's general terms) or technical measures — encryption or pseudonymisation, with the bank retaining the keys — so the provider cannot re-identify clients. Data-protection safeguards do not substitute for the consent that secrecy law requires.
• FINMA Circular 2018/3 (Outsourcing – Banks and Insurance Companies), in force since 1 April 2018. For cross-border outsourcing, the bank must ensure that it, its auditor, and FINMA can exercise inspection and audit rights, and that data stored abroad remains accessible from Switzerland at all times for recovery and resolution.

Equivalent professional-secrecy duties apply to asset managers, trustees and securities firms under Article 69 of the Financial Institutions Act.

A Swiss company using French cloud hosting

Free transfer under mutual adequacy, and French/EU hosting is often chosen specifically to avoid US exposure. The caveat: if the provider is US-parented or its sub-processors can access the data, US lawful-access exposure (for example under the CLOUD Act) can reintroduce third-country considerations even though the servers sit in France.

Onward transfers to other third countries

Any transfer onward to a country without adequacy requires a mechanism — DPF certification (US only), SCCs plus a TIA and supplementary measures, or a narrow statutory derogation under Article 17 FADP / Article 49 GDPR.

Penalties: why the Swiss model is different

The Swiss FADP fines the responsible individual, not the company. Intentional breaches — including unlawful disclosure abroad, using a non-compliant processor, or breaching minimum security requirements — are punishable by criminal fines of up to CHF 250,000, imposed on the responsible natural person and enforced by cantonal prosecutors. Only intentional violations are punishable; there are no fines for negligence under these provisions. Where identifying the individual would be disproportionate and the fine would not exceed CHF 50,000, the company may be fined instead.

By contrast, the GDPR imposes administrative fines on the undertaking of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. For an organisation operating across both regimes, this means budgeting for two very different kinds of exposure — corporate financial risk on the EU side, personal criminal liability for named individuals on the Swiss side.

A practical compliance roadmap

Days 0–30 — Map. Inventory every Switzerland–France data flow and, critically, every onward transfer and sub-processor. Document that the direct leg relies on adequacy (EU recognition of Switzerland; France on Annex 1 DPO). Flag any sub-processor in a non-adequate country.

Days 30–60 — Paper the gaps. For US sub-processors, verify DPF certification; where absent, execute Swiss-Finish EU SCCs plus a TIA. Put GDPR Article 28-grade DPAs in place (these also satisfy FADP Article 9, including Article 9(3) sub-processor approval).

Days 60–90 — Layer sector rules. For financial-sector data, add banking-secrecy controls (client consent and/or bank-held encryption keys) and FINMA Circular 2018/3 audit, inspection and Swiss-accessibility clauses on top of the DPA.

Ongoing — Monitor. Track the Latombe appeal at the Court of Justice and any new EU adequacy decision for Switzerland; keep SCCs as a fallback for US flows; re-run TIAs whenever a law or a sub-processor changes.

Frequently asked questions

Is Switzerland an adequate country under the GDPR?

Yes. The European Commission recognised Switzerland as adequate in Decision 2000/518/EC (2000), and confirmed in its review of 15 January 2024 that Switzerland continues to provide an adequate level of protection. France, as an EU member, relies on this recognition.

Do I need SCCs to transfer personal data from France to Switzerland?

No. France relies on the EU's adequacy recognition of Switzerland, so the transfer needs no SCCs or additional safeguards — only the ordinary processing and contract obligations.

Do I need SCCs to transfer personal data from Switzerland to France?

No. France is on Switzerland's list of countries with adequate protection (Annex 1 to the Data Protection Ordinance), so the transfer is free of SCC requirements.

Is the Swiss FADP the same as the GDPR?

No. The FADP is broadly aligned with the GDPR but leaner. Its processor rules are lighter, and its penalties target the responsible individual (up to CHF 250,000) rather than imposing corporate turnover-based fines.

What are the penalties for unlawful data transfers under Swiss law?

Intentional violations carry criminal fines of up to CHF 250,000, imposed on the responsible individual and enforced by cantonal prosecutors. A company may be fined up to CHF 50,000 only where identifying the individual would be disproportionate.

Are the EU Standard Contractual Clauses valid in Switzerland?

Yes, with adaptations. The FDPIC recognises the EU SCCs subject to a "Swiss Finish" — naming the FDPIC as supervisory authority, applying the FADP, and protecting Swiss data subjects' enforcement rights.

Is remote access from abroad a data transfer under Swiss law?

Yes. Granting access from abroad to data stored in Switzerland counts as a disclosure abroad, even if the data is not copied or moved.

Can a Swiss bank use a processor in France?

Yes, but data-protection adequacy is not enough. Swiss banking secrecy (Art. 47 Banking Act) and FINMA Circular 2018/3 apply separately, typically requiring client consent or encryption with bank-held keys, plus audit and Swiss-accessibility guarantees.

Is the Swiss–US Data Privacy Framework valid?

Yes. The Swiss–US DPF has been operational since 15 September 2024, allowing transfers to certified US recipients without additional safeguards. Non-certified recipients still require SCCs and a transfer assessment.

What is a Transfer Impact Assessment and when do I need one?

A TIA is a documented check on whether a destination country offers essentially equivalent protection. It is required when you rely on SCCs or BCRs to transfer to a non-adequate country — not for the direct Switzerland–France leg.

Get this right for your vendor stack

Most Switzerland–France compliance failures are not about the headline transfer — they are about the sub-processor three layers down. Supplier Shield maps your data flows, validates your vendors' transfer mechanisms, and pressure-tests your DPAs against both the FADP and the GDPR.

Book a DPO consultation →

Related reading: The Swiss nDSG (FADP) explained · GDPR Article 28: processor obligations

This article is general information, not legal advice. Verify your specific situation against primary sources — the FADP and Data Protection Ordinance (Fedlex), FDPIC/EDÖB guidance, the CNIL, and the European Commission's adequacy pages — or consult qualified counsel.