Tuesday, 19 September 2023
Monde Economique by Elena Liotto, Head of Marketing & Communications at Indigita SA
On 1 September 2023, Switzerland’s data protection legislation has seen a major update with the new Federal Act on Data Protection (nFADP) coming into force. The new Swiss data protection law is not the only regulation affecting the handling of data by financial institutions in Switzerland.
Reference to data protection can be found in the Swiss Code of Obligations, the Anti-Money Laundering Act, the Swiss Federal Act Against Unfair Competition (UCA), cantonal laws, employment laws, FINMA circulars and guidance, and, maybe most famously, the Banking Act. In addition, the principles and guidance introduced by the European Union’s General Data Protection Regulation (GDPR) in 2018 are applicable across industries and geographical markets, affecting Swiss institutions who operate with EU-based customers.
nFADP is closely aligned with the standards set by GDPR. However, there remain certain differences between the two, which financial institutions should be aware of.
Data subject rights in the financial sector
Both GDPR and nFADP grant data subjects various rights, including access to and rectification, deletion and portability of personal data. However, there are certain limitations and conditions, which arise, for example, from anti-money laundering (AML) regulations in Switzerland.
In this case, the time requirement for retaining and providing bank documents containing personal data is ten years.
Principle- vs. rule-based approach to determine protection
As data protection becomes increasingly intertwined with risk management, financial institutions must assess the risks for data subjects in an objective and structured manner.
Unlike the principle-based approach found in GDPR, the Swiss legislation is calling for a rule-based approach.
It places explicit demands on data controllers and processor and lists the required technical and organisational measures in detail in the new Data Protection Ordinance (nDPO).
nFADP introduces record of processing activities requirement
Analogous to Article 30 of GDPR, Swiss financial institutions are now required by nFADP to keep a record of processing activities (RoPA). This record is a fundamental element of the documentation required by authorities and serves as an organisational tool for the entire data protection management system. Among other elements, a bank’s or asset manager’s RoPA must include the purpose of processing, the categories of data processed, as well as the storage period, or the criteria to determine the length of such period, if derived from other laws.
SME exemptions do not apply for small financial institutions
The data handled by financial institutions is considered among the most sensitive, regardless of an organisation’s size.
While nFADP specifies exemptions for SMEs with less than 250 employees “whose data processing presents limited risk of harm to the data subject”, small banks and asset managers are still required to keep a RoPA due to the sensitive nature of the private data they process.
Cross-border data transfer is subject to strict conditions
Both GDPR and nFADP impose strict requirements on the transfer of data across jurisdictions. The transfer of data may be permissible when an adequate level of data protection is guaranteed through adequacy decisions, standard contractual clauses (SCC), binding corporate rules (BCR), certification mechanisms and codes of conduct. As per nFADP, the Swiss Federal Council publishes a periodically reviewed list of countries that guarantee an adequate level of data protection. In the EU, the adequacy is determined by the European Commission. Where data is transferred abroad, a list of the respective countries should form part of the privacy notice.
Fines and sanctions get personal under nFADP
Fines are an area where GDPR and nFADP differ considerably.
While GDPR only fines and sanctions organisations, nFADP holds the individual, who has the ultimate decision power and supervision, personally liable and specifies fines of up to CHF 250,000.
As for criminal provisions, any person who intentionally violates the minimum data security requirements may be fined up to CHF 250,000. With nFADP, the organisation itself can only be fined up to CHF 50’000 if the identification of a responsible natural person within the organisation would require a disproportionate effort.
Differences in the reporting of data breaches
Both GDPR and nFADP mandate data breach notifications.
While GDPR defines a 72-hour deadline for the reporting to supervisory authorities, nFADP is asking for the notification of the Swiss Federal Data Protection and Information Commissioner (FDPIC) “as soon as possible”.
GDPR asks for all breaches to be reported unless the violation in question is not likely to create a risk to the rights and freedom of the affected persons. nFADP, on the other hand, requires a notification in cases where there is a high risk to the data subject's personality or fundamental rights.
nFADP doesn’t explicitly ask for a Data Protection Officer
GDPR mandates the appointment of a Data Protection Officer (DPO) for certain organisations to facilitate GDPR compliance and communication with data protection authorities. nFADP doesn't explicitly ask for a DPO but allows Swiss financial institutions to appoint a Data Protection Advisor (DPA) voluntarily, although this is strongly recommended.
In summary, both GDPR and nFADP aim to protect the privacy and personal data of individuals. In most parts, the two legislations are aligned, but there are differences regarding applicable jurisdiction, documentation and specific legal provisions, cross-border data transfers, DPO mandates, and sanctions. It is important to remember that Swiss banks and asset managers that process private data of EU residents are also subject to GDPR. Ensuring compliance with both legislations remains a complex task for banks and asset managers. To keep critical infrastructure, financial systems, as well as marketing and communication activities safe from a cyber security and personal data protection point of view, adequate and continuous training of employees is required to make them aware of risks and explain appropriate behaviours. By ensuring compliance with GDPR and nFADP financial institutions will safeguard the privacy of their clients' data as well as their own reputation and mitigate both corporate and personal legal risks.