Switzerland is not in the EU and has not introduced EU regulations on general data protection (GDPR). The GDPR is also applicable if companies are based in Switzerland and offer services in the EU.
Therefore, Swisscom is subject to the same data handling obligations as all other organizations that have to comply with the GDPR:
- Obtain the consent of the person whose data are processed
- “Privacy by design” and “Privacy by default” guarantee
- appoint a data protection representative
- create a list of processing activities
- report violations of data protection to the supervisory authority
- conduct a privacy impact assessment
All applications that concern data protection and are used for data processing, e.g., the RA app, must comply with GDPR. Swisscom provides information on this on its pages:
- Switzerland: https://trustservices.swisscom.com/en/datenschutz
- Austria: www.swisscom.at
with corresponding data protection declarations according to GDPR.
Switzerland has always been and is considered a safe third country under Art. 45 GDPR (data transfer based on an adequacy decision), i.e., the usual authorizations as with other third countries (e.g., the U.S.) are unnecessary. Thanks to its Data Protection Act and the ongoing adaptation to the GDPR, Switzerland has an “adequate level of protection for the transfer of personal data” by EU criteria, i.e., it must, be treated as an EU country when transferring data: