Applicable legislation

Privacy is a fundamental right under Swiss law. According to Article 13 of the Swiss Federal Constitution, every person has the right to privacy in their private and family life and their home, and in relation to their mail and telecommunications, as well as the right to be protected against the misuse of their personal data.

The Federal Act on Data Protection 1992 (FADP) protects the privacy and the fundamental rights of natural and legal persons when their personal data is processed. A revised version of the Federal Act on Data Protection (only available in German here, in French here, and in Italian here) (Revised FADP), was enacted on September 25, 2020, and came into force on September 1, 2023. Notably, two corresponding ordinances also came into force together with the Revised FADP: the implementing provisions of the Ordinance to the Federal Act on Data Protection and the revised Ordinance on Data Protection Certification (available in French here, in German here, and in Italian here).

The Revised FADP was introduced to eliminate the deficiencies of the prior FADP due to technological changes that have occurred since 1992, along with developments in the EU that have taken place over the past years and ensure that data protection in Switzerland is harmonized with the requirements of the General Data Protection Regulation (GDPR). For example, the Revised FADP now only protects the data of natural persons and no longer covers the data of legal entities such as a corporation or associations (Article 2 of the Revised FADP) which were previously protected by the FADP.

While the Revised FADP is a comprehensive legislation on data protection and is not industry-specific, it is very relevant for Swiss financial institutions in relation to their processing of personal data. Both the prior FADP and the Revised FADP distinguish between the following general categories of data:

• Non-personal data: The Revised FADP only applies to personal data; therefore, any data that does not meet the definition of personal data is out of the scope of the Revised FADP. In other words, if the information does not relate to an identified or identifiable natural person (such as anonymized data), it is likely out of the scope of the Revised FADP, but such information may nevertheless still be covered by other laws or regulations.
• Personal data: This term covers all data relating to specific individuals, including data that can be attributed to specific individuals when combined or correlated with other data. This category may include data that allow conclusions to be drawn about an individual's behavior, such as transaction data or location data.
• Sensitive personal data: This is a subset of personal data defined precisely by law and includes biometric data as well as information on political opinions, religious or philosophical beliefs, and data concerning health.

Some of the main changes that the Revised FADP introduces, which are relevant to the financial sector, include:

• the introduction of the principles of Privacy by Design and Privacy by Default, which, in the context of the financial sector, require integrating data protection and privacy requirements into the design and default settings of financial products or services that collect personal data;
• the obligation to keep a register of processing activities and to notify the Federal Data Protection and Information Commissioner (FDPIC) in case of a data security incident; and
• the recognition of the concept of 'profiling,' which involves the automated processing of personal data.

For organizations that are already compliant with the GDPR, the Revised FADP will not require too much additional work to achieve compliance, although the Revised FADP includes 'Swiss tweaks' in certain areas, making it slightly less prescriptive than the GDPR. For instance, while the Revised FADP has similar provisions as the GDPR regarding the definition of data breaches and processors, it does not explicitly require a 72-hour notification period, nor does it regulate in detail the content of a breach notification. This allows organizations some flexibility depending on the circumstances.

Supervisory authority

The Swiss Financial Market Supervisory Authority (FINMA) is Switzerland's independent financial markets regulator. Its mandate is to supervise banks, insurance companies, exchanges, securities dealers, collective investment schemes, and their asset managers and fund management companies. It also regulates distributors and insurance intermediaries. It is charged with protecting creditors, investors, and policyholders.

Confidentiality and banking secrecy

When handling bank customers' personal data, which the FINMA refers to as 'client identifying data' (CID), bank-client confidentiality under Article 47 of the Swiss Banking Act applies on top of the general provisions of data protection law. Article 47 of the Swiss Banking Act makes violating bank-client confidentiality a criminal offense and covers all information (including personal evaluation results) that can be attributed to a bank customer. Contrary to popular belief, such confidentiality is not absolute since banks have been required to disclose information about customers in civil proceedings (for example pertaining to inheritances or divorces), in debt recovery and compulsory liquidation proceedings, in criminal proceedings (especially where tax fraud is involved), as well as proceedings by the financial market supervisory authority and proceedings relating to the cross-border exchange of information.

Nevertheless, bank-client confidentiality has been fundamentally transformed in recent years, particularly as it relates to tax matters.

On December 13, 2022, the FINMA published Circular 2023/1 on operational risks and resilience at banks, which completely revised the prior Circular 2008/21, which addresses operational risk management in banks, especially in relation to information and communication technology, the handling of critical data, and cyber risks. If critical data is stored outside of Switzerland or if it can be accessed from abroad, increased risks associated with this must be adequately mitigated and monitored using suitable means, and the data must be given particular protection. In addition, the revision incorporates requirements for operational resilience. Circular 2023/1 will enter into force on January 1, 2024, with additional gradual transitional provisions for ensuring operational resilience applicable over two years.

Outsourcing regulations

Financial institutions in Switzerland are subject to a variety of outsourcing-related regulations, the extent of which varies depending on the type of financial institution. For example, banks are subject to the FINMA Outsourcing Circular (Circular 2018/03), which also applies to insurers, reinsurers, securities firms, managers of collective assets, fund management companies, and self-managed investment companies with variable capital (SICAV).

The circular outlines several requirements, such as the obligation to keep an inventory of outsourced functions that must be kept up to date. This inventory must contain a description of the outsourced function, information about the service provider (including subcontractors), the service recipient, and the unit responsible within the outsourcing company. The company, its audit firm, and FINMA must be able to verify the service provider's compliance and must have the contractual right to inspect and audit all information relating to the outsourced function at any time without restrictions. Outsourcing to another country is admissible only if the company can expressly guarantee that it, along with its audit firm and FINMA, can assert and enforce its right to inspect and audit information.

Cybersecurity

The FINMA Guidance on the Duty to Report Cyber Attacks (Guidance 05/2020), which applies to all supervised institutions, provides for procedures, deadlines, and content requirements for notifications related to cyberattacks, which are essential for supervision. Immediate reporting to FINMA is required, meaning that the affected supervised institution must inform FINMA within 24 hours of detecting such a cyber-attack and conduct an initial assessment of its criticality. The actual report should be submitted within 72 hours via the FINMA web-based survey and application platform. If a financial institution outsources essential functions, it is also responsible for reporting cyberattacks that occur at its outsourcing service provider.

The Swiss Bankers Association has also issued its Recommendations on Business Continuity Management (BCM), widely recognized as the minimum standard on BCM for financial institutions in Switzerland.

Rights of data subjects

The rights of data subjects concerning the data controller in the Revised FDPA largely correspond to those outlined in the GDPR. Deviations exist, for example, the Revised FDPA only requires the provision of a shorter list of information in relation to the right to information. Pursuant to the Revised FDPA, data subjects also have a right to object in case of automated decision-making (allowing them to have the decision reviewed by a person) and a right to data portability (i.e., the right to receive their personal data in a commonly used electronic format, when processing is carried out by automated means and based on consent or takes place in direct connection with the conclusion or performance of a contract, and the right to request transfer of such data to another controller if it does not involve a disproportionate effort).

Based on these rights, when a financial institution enters into an outsourcing arrangement, it should first clarify the processes the service provider will implement to comply with privacy-related requests exercised by data subjects whose data it controls. The outsourcing institution should also establish a process to address such requests, including ensuring that contracts contain a provision for assistance by the outsourcing service provider, similar to those required under the GDPR.

Paul Lanois Director
[email protected]
Fieldfisher, Palo Alto