When data is transferred from Switzerland to the United States only for processing purposes, will a contract be required, regardless of participation by the processor in the Safe Harbor?
Yes. Data controllers in Switzerland are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside Switzerland. (Article 10a FADP) The purpose of the contract is to protect the interests of the data controller, i.e., the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure.
A U.S. organization participating in the Safe Harbor and receiving personal information from Switzerland merely for processing thus does not have to apply the Principles to this information, because the controller in Switzerland remains responsible for it vis-à-vis the individual in accordance with the relevant Swiss provisions (which may be more stringent than the equivalent Safe Harbor Principles).
Because adequate protection is provided by Safe Harbor participants, contracts with Safe Harbor participants for mere processing do not require prior authorization (or such authorization will be granted automatically) as would be required for contracts with recipients not participating in the Safe Harbor or otherwise not providing adequate protection.