GAWEL
INSIGHT // 17 Cross-Border

Cloud Service Contracts: Jurisdictional Complexity

· · 12 min read ·
ICT & AI Contracts Data Privacy
Abstract: When data resides in multiple jurisdictions simultaneously, which law governs? Cloud service agreements often create legal uncertainties that surface only during disputes or regulatory investigations, precisely when clarity matters most. The November 2025 privatim resolution on international cloud solutions and the Federal Council's Cloud Strategy have sharpened these questions considerably.
Plain Language Summary

Cloud service agreements create multi-jurisdictional exposure. Data stored in one country may be processed in another. The same data may be subject to disclosure orders in a third. Contractual choice-of-law clauses do not override the mandatory data protection rules of each jurisdiction where processing occurs. For Swiss firms, the November 2025 privatim resolution raised serious questions about whether US-controlled cloud services can lawfully process certain categories of data. Contract law, data protection, and foreign government access intersect in ways that standard procurement processes rarely address.

Table of Contents
  1. Data Localization
  2. Conditional Adequacy
  3. Subprocessor Oversight
  4. Government Access
  5. Cloud Termination
  6. Jurisdictional Reality

The promise of cloud computing remains simplicity: infrastructure as a service, software on demand, scalability without capital investment. The legal reality is considerably more complex. When a Swiss company stores data with a cloud provider headquartered in the United States, operating data centers in Ireland and Singapore, the question of applicable law becomes genuinely difficult, and the November 2025 privatim resolution on international cloud solutions suggests it may be more difficult than many organizations have assumed.1DSG (SR 235.1), Art. 16 f., establishing the framework for cross-border data transfers.

1. The Illusion of Data Localization

Many cloud service agreements commonly offer "data residency" options, promising that customer data will be stored in specific geographic regions. However, storage location and processing location are not the same thing. Data stored in a Swiss data center (data "at rest") may be accessed, processed, or analyzed from technical support centers located anywhere in the world. The distinction between where data resides and from where it may be accessed or processed (and by whom) is critical to jurisdictional analysis.

The question is no longer where data is stored, but who controls the infrastructure, and to which sovereign's laws that controller ultimately answers.

Furthermore, modern cloud architectures often involve automatic failover, backup replication, and disaster recovery across multiple regions. What happens to data residency commitments when the primary data center experiences an outage? Does temporary processing in a backup location constitute a contractual breach or a reasonable operational necessity? Standard agreements rarely address these questions with precision.

Under the Bundesgesetz über den Datenschutz (DSG), cross-border disclosure requires either adequate protection in the destination country or appropriate safeguards.2DSV (SR 235.11), Annex 1: list of countries with adequate protection. But country-level adequacy does not resolve specific data flows within complex cloud architectures. If processing occurs in the European Economic Area, the GDPR applies as mandatory law regardless of what the contract specifies; regulatory obligations are not subject to party autonomy in choice of law.3Art. 3(1)–(2) GDPR (territorial scope); see also Case C-311/18 Schrems II [2020] ECLI:EU:C:2020:559. The same data flow may simultaneously require analysis under Swiss DSG and GDPR frameworks, each with distinct requirements for lawful processing, transfer mechanisms, and controller-processor arrangements.

2. When Adequacy Is Conditional

The cross-border transfer landscape shifted on 15 September 2024, when Switzerland's recognition of the United States as providing adequate protection under the Swiss-US Data Privacy Framework became effective.4DSV amendment 15 September 2024, adding the US (for DPF-certified recipients) to Annex 1. Under this framework, Switzerland recognizes the US as providing adequate data protection for transfers to DPF-certified recipients, eliminating the need for additional transfer mechanisms such as Standard Contractual Clauses or transfer impact assessments. Other compliance obligations (purpose limitation, proportionality, security requirements, and processor contract terms) remain applicable regardless of the transfer basis.

However, the DPF does not resolve all jurisdictional complexity. Certification is voluntary and company-specific: not all providers are certified, and certification scope may not cover all services a provider offers. The DPF addresses personal data transfers but does not affect trade secrets, professionally secret information, or other sensitive categories that fall outside its scope.

The durability of the framework itself presents a separate consideration. The EU's analogous frameworks (Safe Harbor and Privacy Shield) were both invalidated by the Court of Justice of the European Union.5Case C-362/14 Schrems [2015] (Schrems I), invalidating Safe Harbor; Case C-311/18 Schrems [2020] (Schrems II), invalidating Privacy Shield. The Swiss-US DPF is a separate Swiss adequacy decision not subject to CJEU jurisdiction, but the underlying US legal environment that prompted those EU invalidations has not fundamentally changed. Organizations relying on the Swiss DPF must consider what contingency arrangements would apply if Switzerland were to reassess its adequacy finding.

The Swiss-US DPF rests on Executive Order 14086, which established a Data Protection Review Court mechanism for non-US persons to challenge surveillance activities; Swiss residents gained access to that mechanism only when the US Attorney General designated Switzerland a "qualifying state" in June 2024.6Attorney General designation of Switzerland as a 'qualifying state' under EO 14086, effective 15 September 2024. Unlike Safe Harbor and Privacy Shield, this framework was designed specifically to address the Schrems II concerns about lack of judicial redress. However, Executive Orders can be modified or rescinded by subsequent administrations without Congressional action, and the framework's oversight architecture has already shown strain: the Privacy and Civil Liberties Oversight Board lost its operating quorum in January 2025, and although the EU's parallel framework survived the Latombe annulment challenge before the EU General Court in September 2025, that judgment is under appeal.7PCLOB quorum loss (Jan 2025); Latombe dismissed by the EU General Court (3 Sept 2025), under appeal. The framework's foundations are thus executive rather than legislative, creating a structural vulnerability that organizations should factor into contingency planning. Whether Swiss authorities would reassess adequacy in response to US executive action, and on what timeline, remains uncertain.

Where the DPF does not apply, organizations must rely on SCCs under Art. 16(2)(d) DSG, supplemented by transfer impact assessments.8Art. 16(2)(d) DSG; cf EDPB, Recommendations 01/2020 on supplementary measures for SCCs (18 June 2021). But the structural problem the Schrems II decision identified persists: contractual commitments cannot override a provider's statutory obligation to comply with foreign government access orders. For US-bound transfers outside the DPF, the assessment must address the CLOUD Act, FISA Section 702, and Executive Order 12333, producing conclusions that will rarely be unambiguous. Even where the DPF covers the primary transfer, the provider's subprocessor relationships may introduce additional jurisdictional exposure that the framework does not govern.

3. Where Oversight Ends in the Subprocessor Chain

Enterprise cloud services rarely operate in isolation. A primary cloud provider may rely on dozens of subprocessors for specific functions: content delivery networks, security monitoring, analytics services, and customer support tools. Each subprocessor relationship introduces additional jurisdictional considerations.9EDPB, Recommendations 01/2020 on measures supplementing transfer tools (18 June 2021).

Art. 9 DSG establishes the statutory framework for processor relationships. A controller may only engage a processor if the processing is carried out in a manner the controller itself could lawfully perform, and no statutory or contractual duty of confidentiality prohibits the delegation.10Art. 9 DSG (Bearbeitung durch Auftragsbearbeiter), imposing conditions on processor engagement. In cloud arrangements, this second requirement (no prohibition on delegation) intersects directly with professional secrecy obligations. Where data subject to Art. 321 StGB or Art. 47 BankG is processed in the cloud, the controller must verify that the delegation itself does not breach the confidentiality obligation, a question that extends to every subprocessor in the chain.

Standard cloud contracts typically include broad authorization for subprocessor engagement, with notice provisions that allow changes on short timelines. But what practical oversight can a customer exercise when the subprocessor list spans hundreds of entities across dozens of jurisdictions?

The EDÖB's guidance on transfer impact assessments requires exporters to evaluate not merely the primary recipient but the full chain of processing.11EDÖB, Datenbearbeitungen in der Cloud (July 2024), establishing guidance on cloud outsourcing and transfer impact assessments. For complex cloud arrangements, this evaluation may be practically impossible to complete with confidence. How does an organization verify that subprocessor security controls meet requirements when audit rights do not extend through the chain? What audit rights actually apply at the third or fourth tier of subcontracting? When a subprocessor is located in a jurisdiction without adequate protection, and without DPF certification, what safeguards apply, and who bears responsibility for implementing them?

The notice-and-objection model typical of cloud contracts compounds this: if a provider adds a subprocessor in a problematic jurisdiction, the customer's objection right may be limited to contract termination, a remedy that is commercially impractical for deeply embedded services.

Art. 22 DSG requires a Datenschutz-Folgenabschätzung (DPIA) where processing is likely to result in high risk to data subjects.12Art. 22 DSG (Datenschutz-Folgenabschätzung), requiring impact assessment for high-risk processing. Cloud arrangements involving cross-border subprocessor chains, government access exposure, and limited audit rights will frequently trigger this threshold, and where particularly sensitive personal data under Art. 5(c) DSG is involved, the assessment is legally required before processing begins.

4. Government Access and the CLOUD Act Question

The reach of government surveillance and data access requests extends across borders in ways that cloud service contracts rarely address clearly. A cloud provider incorporated in the United States remains subject to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act),13Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Pub. L. No. 115-141, div. V, 132 Stat. 1213 (2018), codified at 18 U.S.C. §§ 2701 note, 2713. which permits US authorities to compel disclosure of data in the provider's possession, custody, or control, regardless of where that data is physically stored.

This creates a structural tension that contractual provisions cannot fully resolve. Data stored in a Swiss data center, operated by a Swiss subsidiary, may nonetheless be subject to US disclosure requirements if the ultimate parent company is US-incorporated. The DPF addresses surveillance in the intelligence context through oversight mechanisms established under Executive Order 14086,14Exec. Order No. 14086, 87 Fed. Reg. 62283 (14 October 2022) (Enhancing Safeguards for United States Signals Intelligence Activities). but the CLOUD Act operates through different legal channels (law enforcement rather than intelligence gathering), and those channels are not addressed by the adequacy framework.

The CLOUD Act's comity provisions, which permit motions to quash orders where compliance would violate a "qualifying foreign government's" laws, require an executive agreement with the United States that Switzerland has not concluded.1518 U.S.C. § 2703(h)(2) (motion to quash or modify); see also 18 U.S.C. § 2523 (executive agreement requirements). These challenge rights are therefore largely unavailable for Swiss data, leaving only the weaker, discretionary basis of common-law comity.

Swiss law creates a counter-obligation. Art. 271 StGB criminalizes acts performed on Swiss territory on behalf of foreign authorities without authorization, a tension examined in the context of e-discovery in Insight 09.16Art. 271 StGB (Verbotene Handlungen für einen fremden Staat). Whether compliance with a CLOUD Act order would violate Art. 271 remains uncertain; the provision's application to cloud service arrangements has not been authoritatively resolved, creating a situation where the provider may face conflicting legal obligations with no clear hierarchy.

Swiss regulatory authorities have taken an increasingly firm position on this question. On 18 November 2025, the Conference of Swiss Data Protection Commissioners (privatim) adopted a resolution concluding that SaaS solutions from international cloud providers are generally unsuitable for processing particularly sensitive personal data or data subject to confidentiality obligations by Swiss public bodies, unless the public body implements customer-controlled encryption to which the provider has no access.17privatim, Resolution zur Auslagerung von Datenbearbeitungen in die Cloud (18 November 2025). The resolution, which represents the collective position of cantonal data protection authorities rather than binding law, found that most international SaaS solutions (Microsoft 365 foremost among them) lack encryption preventing provider access to plaintext data. For data subject to official secrecy (Amtsgeheimnis), outsourcing to providers subject to the CLOUD Act creates legal uncertainty that contractual safeguards cannot resolve.

The privatim resolution aligns with the Federal Council's broader Swiss Government Cloud Strategy (Cloud-Strategie der Bundesverwaltung), which prioritizes sovereign cloud solutions for federal data classified as requiring heightened protection, while permitting public cloud services for lower-sensitivity categories subject to appropriate safeguards.18Schweizerischer Bundesrat, Cloud-Strategie der Bundesverwaltung (2020), defining multi-cloud approach with sovereignty requirements. The strategy reflects a multi-cloud approach (sovereign infrastructure for the most sensitive workloads, commercial cloud for the rest) that private sector organizations handling regulated data may find instructive as a risk-stratification model.

While these pronouncements address the public sector specifically, for private sector organizations handling data subject to professional secrecy, including medical confidentiality under Art. 321 StGB19Art. 321 Schweizerisches Strafgesetzbuch (StGB) vom 21. Dezember 1937 (SR 311.0) (Verletzung des Berufsgeheimnisses). and banking secrecy under Art. 47 BankG20Art. 47 Bundesgesetz über die Banken und Sparkassen (Bankengesetz, BankG) vom 8. November 1934 (SR 952.0)., the same underlying tension applies. The question is not whether the CLOUD Act conflict exists, but whether the risk of a disclosure request affecting specific data categories is sufficiently low to accept, given that the cloud arrangement must satisfy sector-specific obligations beyond general data protection requirements.

For FINMA-supervised entities, Circular 2018/3 imposes additional cloud outsourcing requirements, including audit rights exercisable regardless of data location, that sit in tension with the operational reality of hyperscale architectures.21FINMA Circular 2018/3 Outsourcing: banks and insurers (Auslagerung bei Banken und Versicherern), Rz 27 ff.

For financial entities the Swiss regime sits beside an EU framework of markedly greater reach. The Digital Operational Resilience Act has applied since 17 January 2025 and, unlike the FINMA outsourcing circular, subjects designated critical ICT third-party providers (the major cloud platforms among them) to direct supervision by the European Supervisory Authorities.22Regulation (EU) 2022/2554 (DORA), applicable 17 January 2025; oversight of critical ICT third-party providers. Swiss banks and insurers are exposed through their EU establishments and as members of EU financial groups, and Swiss firms acting as ICT providers to EU financial institutions inherit DORA obligations by contractual flow-down.

The revised DSG reinforces these obligations with criminal sanctions. Art. 60 ff. DSG impose personal liability (fines up to CHF 250,000) on individuals who willfully breach duties of care in cross-border transfers or violate professional secrecy in connection with data processing.23Art. 60 ff. DSG (Strafbestimmungen), imposing personal criminal liability up to CHF 250,000 for wilful breaches. Liability attaches to compliance officers, IT directors, or senior management rather than to the organization, and where a cloud arrangement leads to unlawful disclosure, that personal exposure persists regardless of whether the disclosure was compelled by foreign law. Standard procurement processes rarely address the circumstances under which foreign disclosure might occur, what notification the customer would receive, or whether contractual commitments to challenge orders would provide meaningful protection or merely procedural delay.

5. When the Cloud Relationship Ends

Cloud service agreements create dependency relationships that become apparent primarily at termination. When the relationship ends (through expiration, breach, or provider insolvency), the practical questions multiply: what export formats are available, whether those formats are usable without the provider's proprietary systems, what transition assistance exists and at what cost, and whether data transformed during processing can be recovered in its original structure.

Provider insolvency presents particular challenges. Cloud contracts typically do not create security interests in customer data, and contractual access rights may be unenforceable or subordinate to creditor claims in a foreign insolvency proceeding. For regulated industries, these questions intersect with record-keeping obligations, creating compliance problems that may only become apparent years after termination, when the commercial relationship that created the data has long since ended.

Since 12 September 2025, the EU Data Act has reshaped these exit questions for any cloud arrangement touching an EU establishment. Chapter VI obliges providers of data processing services (IaaS, PaaS, and SaaS alike) to enable customers to switch to a competing service or to on-premises infrastructure, to provide functional equivalence and structured data export, and to withdraw switching charges entirely from 12 January 2027.24Regulation (EU) 2023/2854 (Data Act), Ch. VI switching; applicable 12 September 2025. The regime binds providers irrespective of their place of establishment whenever the customer is in the EU, so a Swiss group's EU subsidiaries may acquire portability rights that its Swiss-contracting entities do not, a divergence that exit planning should anticipate rather than discover at termination.

6. Where Contractual Certainty Meets Jurisdictional Reality

For Swiss organizations evaluating cloud service arrangements, the regulatory landscape has grown more complex rather than simpler. The Swiss-US DPF provides a pathway for certain personal data transfers, but does not eliminate the underlying jurisdictional tensions. The November 2025 privatim resolution signals that Swiss authorities are taking an increasingly skeptical view of whether US-controlled cloud services can satisfy data protection requirements for sensitive categories of information.

Competing Jurisdictional Claims Over Cloud-Hosted Data Venn diagram showing three overlapping sovereign legal regimes (Swiss, EU, and US) that simultaneously claim authority over cloud-hosted data. Overlap zones highlight where jurisdictional conflicts arise, particularly the Art. 271 StGB vs CLOUD Act tension at the Swiss-US intersection. COMPETING JURISDICTIONAL CLAIMS OVER CLOUD-HOSTED DATA Swiss organization · US cloud provider · EU processing US LAW CLOUD Act · 18 U.S.C. § 2713 FISA § 702 · national security access Art. 271 StGB vs CLOUD Act DPF / EO 14086 Adequacy fragility Schrems II legacy Three sovereigns · one data set SWISS LAW DSG (SR 235.1) Art. 321 StGB · Art. 47 BankG Art. 60 ff. DSG · FINMA 2018/3 EU LAW Art. 3 GDPR territorial scope Art. 6, 10, 12, 13 AI Act SCC framework · Data Act DORA · ICT oversight Art. 16 f. DSG / GDPR Ch. V Processor obligations Contractual provisions (Art. 97/100 OR) operate within one framework; they cannot resolve conflicts between competing jurisdictions Swiss EU US Conflict zone Overlapping areas = concurrent jurisdiction
Fig. 1. Swiss, EU, and US legal regimes exercise concurrent authority over cloud-hosted data, creating conflict zones where competing sovereign obligations cannot be reconciled through contractual provisions alone.

The jurisdictional exposure extends beyond the primary provider to the full subprocessor chain, and each link introduces its own regulatory questions. Contractual provisions addressing the intersection between Swiss data protection requirements and foreign government access may appear protective but prove unenforceable against a provider subject to conflicting legal obligations. Data residency commitments face a similar gap: operational exceptions for failover, support access, and subprocessing may render geographic restrictions largely aspirational in practice. Where cloud services support regulated products (medical devices, pharmaceutical manufacturing systems, or clinical trial databases), the cloud arrangement becomes part of the product's regulatory compliance architecture, with liability implications extending to the EU-AR and beyond (see Insight 05 on authorized representative liability).

Swiss contract law adds a further dimension. Cloud agreements routinely cap provider liability at a fraction of annual fees, but Art. 100 OR prohibits excluding liability for intentional or grossly negligent breach.25Art. 97 OR (Nichterfüllung) and Art. 100 OR (limitation of liability for intentional or grossly negligent breach). Where inadequate safeguards lead to unlawful disclosure, the distinction between ordinary and gross negligence determines whether the cap applies, and the Sorgfaltspflicht expected of a cloud provider processing regulated data in a cross-border architecture is a question Swiss courts have not yet defined with precision.

For organizations processing data subject to professional or official secrecy, the threshold question may be whether cloud processing is lawful at all under the EDÖB's 2024 cloud computing guidance and the November 2025 privatim resolution, a question that these pronouncements have made increasingly difficult to avoid.

The EU AI Act adds a further layer: where cloud infrastructure supports high-risk AI systems, providers and deployers face data governance, record-keeping, and transparency requirements that interact with, but are distinct from, data protection obligations.26Regulation (EU) 2024/1689 (AI Act), Art. 6, 10, 12, 13; see also Art. 2(1)(a) on territorial scope. For Swiss organizations deploying AI via US-headquartered cloud providers into the EU market, the result is a three-layer regulatory stack (Swiss DSG, EU AI Act, and US CLOUD Act), each operating on different jurisdictional triggers.

The cloud is not a place; it is a set of contractual relationships layered on top of physical infrastructure controlled by entities subject to multiple sovereigns' laws. The jurisdictional complexity those relationships create requires analysis that standard procurement templates cannot provide.

REFERENCES

01
Bundesgesetz über den Datenschutz (Datenschutzgesetz, DSG) vom 25. September 2020 (SR 235.1), in force since 1 September 2023, establishing the framework for cross-border data transfers under Art. 16 f.
02
Art. 16(1)–(2) DSG; Verordnung über den Datenschutz (Datenschutzverordnung, DSV) vom 31. August 2022 (SR 235.11), Annex 1 (list of countries with adequate protection).
03
Art. 3(1)–(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L119/1 (GDPR) (territorial scope); see also Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems [2020] ECLI:EU:C:2020:559 (Schrems II), confirming the extraterritorial reach of EU data protection standards to transfers involving US surveillance.
04
DSV (SR 235.11), as amended 15 September 2024, adding the United States (for recipients certified under the Swiss-US Data Privacy Framework) to Annex 1.
05
Case C-362/14 Schrems [2015] ECLI:EU:C:2015:650 (Schrems I), invalidating Safe Harbor; Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems [2020] ECLI:EU:C:2020:559 (Schrems II), invalidating the EU-US Privacy Shield and establishing requirements for supplementary measures when transferring data to jurisdictions with intrusive surveillance powers.
06
Attorney General designation of Switzerland as a "qualifying state" pursuant to s 3(f) of Exec. Order No. 14086, taking effect with the 15 September 2024 amendment to DSV Annex 1 (Federal Register notice of 13 June 2024); this gave Swiss residents standing before the Data Protection Review Court redress mechanism.
07
The Privacy and Civil Liberties Oversight Board lost its operating quorum following the removal of three members in late January 2025. The EU's analogous EU-US Data Privacy Framework survived annulment in Latombe v Commission (EU General Court, 3 September 2025), a ruling under appeal; as a separate Swiss adequacy decision, the Swiss-US DPF is affected by these developments only by analogy.
08
Art. 16(2)(d) DSG, permitting cross-border transfers on the basis of standard data protection clauses approved or recognized by the EDÖB; cf EDPB, Recommendations 01/2020 on measures that supplement transfer tools (18 June 2021), requiring supplementary measures where the legal framework of the destination country undermines the effectiveness of standard contractual clauses.
09
European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (18 June 2021), providing guidance on transfer impact assessments applicable by analogy to Swiss transfers under EDÖB guidance.
10
Art. 9 DSG (Bearbeitung durch Auftragsbearbeiter), permitting processor engagement only where (a) the processing is carried out as the controller itself could lawfully perform it, and (b) no statutory or contractual duty of confidentiality prohibits the delegation.
11
EDÖB, Datenbearbeitungen in der Cloud (July 2024), providing guidance on data protection requirements for cloud outsourcing, including transfer impact assessments and processor chain obligations.
12
Art. 22 DSG (Datenschutz-Folgenabschätzung), requiring a data protection impact assessment where planned processing is likely to result in a high risk to data subjects' personality or fundamental rights, particularly for systematic processing of sensitive personal data under Art. 5(c) DSG.
13
Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Pub. L. No. 115-141, div. V, 132 Stat. 1213 (2018), codified at 18 U.S.C. §§ 2701 note, 2713, requiring US-incorporated providers to disclose data in their possession, custody, or control regardless of storage location.
14
Exec. Order No. 14086, 87 Fed. Reg. 62283 (14 October 2022) (Enhancing Safeguards for United States Signals Intelligence Activities), establishing proportionality requirements and a redress mechanism for signals intelligence collection that underpins the Swiss-US and EU-US Data Privacy Frameworks.
15
18 U.S.C. § 2703(h)(2), permitting providers to move to quash or modify legal process where the customer is not a US person and compliance would create a material risk of violating the laws of a "qualifying foreign government"; see also 18 U.S.C. § 2523 (requirements for executive agreements establishing qualifying foreign government status). Switzerland has not concluded such an agreement.
16
Art. 271 Schweizerisches Strafgesetzbuch (StGB) vom 21. Dezember 1937 (SR 311.0) (Verbotene Handlungen für einen fremden Staat), criminalizing acts performed on Swiss territory on behalf of a foreign state or foreign party to proceedings without authorization. Application to cloud service compliance with foreign law enforcement orders remains doctrinally uncertain.
17
Konferenz der schweizerischen Datenschutzbeauftragten (privatim), Resolution zur Auslagerung von Datenbearbeitungen in die Cloud (adopted 18 November 2025, published 24 November 2025), concluding that international SaaS solutions are unsuitable for processing particularly sensitive personal data or data subject to confidentiality obligations by Swiss public bodies without customer-controlled encryption.
18
Schweizerischer Bundesrat, Cloud-Strategie der Bundesverwaltung (2020), defining a multi-cloud approach for federal administration with differentiated sovereignty requirements based on data classification; see also Informatiksteuerungsorgan des Bundes (ISB), implementation guidance on cloud usage for federal offices.
19
Art. 321 StGB (n 16) (Verletzung des Berufsgeheimnisses), criminalizing disclosure of professional secrets by, inter alia, clergy, lawyers, defense counsel, notaries, auditors, physicians, pharmacists, midwives, psychologists, and their auxiliaries.
20
Art. 47 Bundesgesetz über die Banken und Sparkassen (Bankengesetz, BankG) vom 8. November 1934 (SR 952.0), establishing banking secrecy obligations with criminal sanctions for unauthorized disclosure.
21
FINMA Circular 2018/3 Outsourcing: banks and insurers (Auslagerung bei Banken und Versicherern), in force since 1 April 2018, Rz 27 ff., requiring contractual audit rights, supervisory access, notification of material subcontracting changes, and data location requirements for outsourcing of essential functions. Complemented since 1 January 2024 by FINMA Circular 2023/1 Operational Risks and Resilience – Banks, which extends expectations on ICT and third-party risk management (transitional period to the start of 2026).
22
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) [2022] OJ L333/1, applicable from 17 January 2025; Chapter V (management of ICT third-party risk) and Art. 31 ff. (oversight framework for critical ICT third-party providers, the first of which were designated in November 2025).
23
Art. 60 ff. DSG (Strafbestimmungen), imposing personal criminal liability (fines up to CHF 250,000) on natural persons who willfully violate duties of care in cross-border data transfers (Art. 61), minimum data security requirements (Art. 61), or professional secrecy obligations in connection with data processing (Art. 62).
24
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data (Data Act) [2023] OJ L, 2023/2854, Chapter VI (Arts 23–31, switching between data processing services), applicable from 12 September 2025; Art. 29 (gradual withdrawal of switching charges, prohibited from 12 January 2027).
25
Art. 97 (liability for non-performance) and Art. 100 (prohibition of excluding liability for intentional or grossly negligent breach) Bundesgesetz betreffend die Ergänzung des Schweizerischen Zivilgesetzbuches (Fünfter Teil: Obligationenrecht, OR) vom 30. März 1911 (SR 220).
26
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) [2024] OJ L 2024/1689, Art. 6 (classification of high-risk AI systems), 10 (data and data governance), 12 (record-keeping), 13 (transparency and provision of information to deployers); see also Art. 2(1)(a) on territorial scope.

RELATED INDUSTRIES

ICT & Digital Health Biotech & Pharma

RELATED INSIGHTS

Data Privacy

Data Privacy in Clinical Trials: GDPR Meets DSG

12 min read Data Privacy

Swiss Professional Secrecy and International E-Discovery: Navigating the Conflict

12 min read

Generic contract templates cannot address complexity that emerges from the intersection of multiple legal systems.

Get in Touch