top of page

One Year On: New Data Privacy Law in the Financial Sector

Thursday, 03 October 2024

By Désirée Cotture, COO of Indigita SA


Swiss banks have long been known for their strict confidentiality under the Swiss banking secrecy, offering clients the highest level of privacy for their financial data. However, with the introduction of the new Swiss Federal Act on Data Protection (nFADP) and the European Union’s General Data Protection Regulation (GDPR), banks must now balance stronger data protection with increased transparency.



Strengthened Data Protection


Both the nFADP and GDPR set strict requirements for protecting client data. Banks must ensure that only employees with a valid reason can access client information, following the "need-to-know" principle. This helps prevent internal data breaches and ensures data is only processed for legitimate purposes.

 

Increased Transparency and Client Access


These regulations also require more transparency from banks. Clients now have the right to know what data is collected, how it is processed, and where it is stored. This is a significant change from traditional Swiss banking practices, where such information was closely guarded. Banks must now provide this data upon request, creating new systems to ensure quick and clear responses.

 

Navigating nFADP and GDPR Compliance


Swiss banks face the challenge of complying with both nFADP and GDPR, depending on where their clients are based. The nFADP applies to Swiss residents, while GDPR covers EU citizens and residents. Banks need flexible systems to manage data according to the relevant regulation, which adds complexity to their operations.

 

For EU citizens and residents, banks must comply with GDPR’s strict rules, even if the data is processed in Switzerland. This requires a dual compliance approach, with teams coordinating closely to meet both regulatory standards. Swiss banks may face a dual reporting obligation when dealing with data breaches due to the overlapping requirements of the Swiss Federal Act on Data Protection (nFADP) and the General Data Protection Regulation (GDPR). Breaches under the nFADP must be reported to the Federal Data Protection and Information Commissioner (FDPIC), while breaches of GDPR, affecting EU citizens or data processed within the EU, must be reported to the relevant national Data Protection Authority. Additionally, violations of GDPR may lead to enforcement actions or penalties imposed by the respective authority, further complicating compliance for Swiss banks operating across multiple jurisdictions.

 

 

Process Revisions and Technology Upgrades


The new regulations require banks to update their data management processes and technology infrastructure. For instance, banks must streamline systems to provide client data promptly, ensuring compliance teams are equipped to handle requests for data access, correction, or deletion efficiently. In addition, banks must retain data for at least 10 years, as required by Swiss law, while balancing nFADP’s and GDPR’s focus on minimizing data retention. Automated systems are essential for managing retention schedules and securely deleting data when necessary.

 

Flexibility and Adaptation


As scrutiny increases, banks must ensure robust internal processes to meet the requirements of both nFADP and GDPR. For instance, banks must ensure that sensitive client data is only shared when necessary and in compliance with regulations. Also, the bank’s central file needs to be kept updated and organized for quick data access when requested. Finally, regular audits and careful record-keeping are vital for proving compliance with data protection rules.

 

Conclusion: Balancing Privacy and Transparency


The nFADP and GDPR have introduced both stricter data protection and greater transparency for Swiss banks. While they must continue to protect client data, they also need to be flexible and transparent in providing access. Navigating these competing demands requires Swiss banks to evolve from institutions of secrecy into data stewards, safeguarding privacy while embracing transparency.

47 views0 comments

Recent Posts

See All

Comments


bottom of page