Are there any restrictions applicable to cloud-based services?
Technology (second edition)
There are no restrictions specifically applicable to cloud services. In general, personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity. Further, the use of cloud services constitutes an outsourced processing service if the personal data is not encrypted during its storage in the cloud and, in case the servers of the cloud are located outside Switzerland and the personal data is not encrypted during its transfer and storage, an international transfer of personal data (see Question 8). FDPIC has issued a non-binding guide outlining the general risks and data protection requirements of using cloud services (https://www.edoeb.admin.ch/edoeb/en/home/data-protection/Internet_und_Computer/cloud-computing/guide-to-cloud-computing.html). Specific rules may apply in regulated markets (e.g. Circular 2018/3 relating to outsourcing issued by the Swiss Financial Market Supervisory Authority (FINMA) applies to banks and securities dealers organised under Swiss law, including Swiss branches of foreign banks and securities dealers subject to FINMA supervision).
Key restrictions applicable to cloud-based services providers are the rules in telecommunication laws and cyber security laws. Cloud-based services, as a type of VATS, is categorized in Internet Digital Center (IDC) and subcategorized as Internet Resource Collaboration Service (IRCS) of the Catalogue of Telecommunications Business (2015 Revision). To engage in Cloud-based services, entities should obtain IRCS license from MIIT. Qualified cloud-based service providers shall meet the requirements in operation funding, professional personnel, reputation and capability, registered capital and etc. according to the Administrative Measures for the Licensing of Telecommunication Business Operations (2017 Revision). Cloud-based service is not open to foreign investors, except that Hong Kong or Macao service provider may secure the IDC/IRCS license through joint ventures in accordance with CEPA.
Pursuant to the Cyber Security Law, cloud-based services providers shall duly perform their duties to protect the network security. If the facilities in providing cloud-based services are categorized as CII, the personal information collected and generated by cloud-based services providers during operating their business in China may have to be stored in China, and security assessment have to be carried out if the personal information needs to be transferred abroad.