Total revision of the Data Protection Act
The new Swiss Data Protection Act (DPA) will enter into force on September 1st, 2023. The changes introduced by this total revision of the law will impact financial institutions. Thanks to our combined expertise in banking law and European data protection law (RGPD), we assist companies and financial institutions in particular in implementing and monitoring the new requirements introduced by the DPA. We are thus able to propose a compliance specifically adapted to the financial sector, taking into account its needs and constraints. Our partnership with Aurore Chasseloup Léauté, co-founder of the EMROADS law firm in Paris and specialist in European data protection law (RGPD), allows us to efficiently address the DPA in an international context.
Impacts of the new DPA on financial institutions
The revised DPA provides for a new requirement to keep a register containing an inventory of all processing activities. An exemption is available for SMEs with less than 250 employees, unless they process sensitive data on a large scale or engage in high risk profiling.
In the event a data security breach is likely to result in a high risk to the personality or fundamental rights of the data subject, the data controller must now report the breach to the Federal Data Protection and Information Commissioner (FDPIC) without delay. In certain cases, a specific duty to notify the data subject is provided for. These reporting obligations apply to financial institutions in addition to the obligation to report cyberattacks to FINMA.
The data controller is required to disclose information to users regarding the recipients of subcontracted data. Prior consent of the data controller is required in the event of further subcontracting to a third party.
The revised DPA introduces a new duty to inform data subjects when their data are transferred abroad. Information shall now be provided on (i) the name of the receiving state or international organization, as well as, as the case may be, (ii) the applicable guarantees or (iii) the available exemption as provided by the law. Furthermore, the list of countries offering an adequate level of protection is now provided in the Annex to the implementing Ordinance (“revDPO”).
The new DPA significantly extends the data controller’s duty to inform the individuals whose data are being collected. Consequently, data subjects are granted an extended right of access to their data, subject to new exemptions which may apply to companies, notably to prevent abuse of rights.
Furthermore, a specific extended information duty is introduced for automated decisions, when such decisions produce legal effects or significantly affect the data subject.
Moreover, the DPA provides for a new right to data portability, allowing data subjects to obtain their personal data or to have them transferred to another data controller.
When the data processing presents a high risk for the personality or fundamental rights of the data subject, an impact assessment must be conducted. Situations in which data processing is required by virtue of a legal obligation, such as those arising from the anti-money laundering legislation, are reserved. The impact assessment must include a description of the contemplated processing, an assessment of the risks involved and the measures undertaken to mitigate these risks.
Financial institutions are under an obligation to document their data treatment process. To this end, they are required to establish a Privacy Policy, and to put in place internal guidelines on data privacy and security as well as on data processing by employees (e-mails, etc.). In addition, a Processing Regulation must be implemented, if large scale processing of sensitive data or high risk profiling is involved.
Pierre-Olivier Etique
Pierre-Olivier Etique has been advising banking and financial institutions for over 15 years. In particular, he has implemented several large-scale regulatory projects for banks. Pierre-Olivier regularly deals with data protection issues, whether from a regulatory or a contractual perspective (e.g. implementation of outsourcing projects, review of contracts involving cross-border data transfers, analysis of data transfer issues within financial groups, review of General Business Terms and Conditions from a banking secrecy and data protection perspective, Cloud Banking).
Aurore Chasseloup Léauté
Aurore has been practicing as a lawyer for more than 15 years and assists companies, in all sectors, in the implementation of their data processing in respect of the obligations provided by the GDPR: integration of contractual clauses relating to the processing of personal data, mapping of data flows, establishment of data processing registers, data protection charters, information technology charters, registers of security breaches, assistance in carrying out impact analyses, awareness-raising and training of staff on the processing of personal data.