Revised Act on Data Protection

The revised Swiss Federal Act on Data Protection (revFADP) will enter into force on 1 September 2023. The aim of the new Act is to align Swiss data protection law with the standards of the European Union, under the General Data Protection Regulation (GDPR). It will therefore bring about important changes to and new requirements for the way Swiss companies process personal data.

Portfolio managers collect and process personal data of their clients on a regular basis and will be subject to the new requirements of the law. 

Here is what you should bear in mind to ensure compliance with the revFADP. 

 

By Adrien Tharin
Director - FinTech, Blockchain and Digital Assets, PwC Legal Switzerland       
And Cecilia Peregrina
Senior Manager Fintech, Blockchain & Digital Assets, PwC Legal Switzerland
And Anouk Geene
Associate, Data Protection, ICT, Implementation+, PwC Switzerland              

 

The basics

Personal data needs to be understood in the broadest of terms as it includes any information that relates to an identified or identifiable natural person. This can range from their full name and contact information to their license plate number and IP address.

Information relating to a person’s health, including their genetic and biometric data (including passport picture) is considered sensitive personal data and receives extra protection. Also included in this category is personal data revealing racial and ethnic origin, political opinions, religion, trade union membership, and sexual orientation.

The revFADP introduces a series of obligations for any organisation collecting and/or processing personal data, which mirror various rights conferred upon individuals (data subjects). The purpose of the new law is to ensure transparent data processing that individuals can challenge, restrict, or object to. Data processing must comply with the requirements of the law and rely on a specific legal basis. The revFAPD requires that technical and organisational measures be in place to prevent loss, theft, or misuse of personal data. Also, it limits the ability to freely transfer personal data to third parties or to other jurisdictions.

The Federal Data Protection and Information Commissioner (FDPIC) will receive extensive supervisory powers and is allowed to refer infringements to prosecuting authorities.

 

Duty to inform 

Data subjects must be provided with adequate information about the processing of their personal data. They must be told about the type of data that is being processed and for what purpose, as well information needed to enforce their rights. A few exceptions to the right of information exist, including when the personal data is collected for the purpose of complying with legal obligations of the controller (e.g. typically for financial institutions : KYC / AML).

 

Register of Processing Activities 

In principle, all companies processing personal data must create a Record of Processing Activities (RoPA), which documents all the processing activities performed within the organization, including the nature and purpose of the processing, its legal basis, third party providers, retention periods, etc. It is mandatory for organisations to have such an up-to-date RoPA, expect for low-risk processing of personal data by companies with less than 250 employees. In practice, external help from an advisor can be sought for the creation of such a register.

 

Data Subject Rights 

In alignment with the GDPR, the revFADP gives individuals many rights with respect to their personal data. In particular, they can object to and restrict certain types of processing. They can also ask their data to be corrected or deleted (“right to be forgotten”). In practice, requests from data subjects can be handled with ease when the controller has the necessary processes and internal directives in place. In certain cases, the data processing is based on the consent of the data subject, which must be informed and freely given, and subject to revocation at any time.

 

Data Transfers

Transfers of personal data are in principle only authorised if sent to jurisdictions that offer similar level of protections, in absence of which special contractual measures need to be implemented. So-called “Standard Contractual Clauses” (SCCs) recognised at the European level can be used, provided they have been adapted to Swiss law. In recent cases, the use of cloud computing/storage has been questioned by several data protection authorities, including the FDPIC. It is recommended to perform a Transfer Impact Assessment to determine if the transfer carries risks and whether mitigation measures must be put in place.

 

Data protection advisor (DPA) 

The new law does not formally oblige companies to nominate a Data Protection Advisor (equivalent to the Data Protection Officer (DPO) under the GDPR). Nonetheless, the appointment of a DPA is recommended as the handling of questions relating to data protection and/or privacy requires specialist knowledge and familiarity with the requirements of the new law.

 

Data breaches and fines 

One of the differences between the revFADP and the GDPR is that the fines in Switzerland are imposed on the individuals in charge of data protection, or, in their absence, the executive functions that should have ensured compliance (ultimately meaning the board of directors of the company). Failures to comply with data protection regulations can be fined up to CHF 250’000 per infringement, per person. Many organisations have already adapted their insurance policy accordingly.

 

Main impact for portfolio managers 

While most banks and financial institutions have already adapted their organisation and internal documentation to the GDPR, many have waited for the introduction of the revFAPD. For such late-adopters, including most Swiss portfolio managers, the adaptation work should not be overlooked and must be done within the next 6 months, before the entry into force of the new law in September 2023. In particular with respect to data transfers abroad, an appropriate legal framework must be put in place. Experience shows that compliance with the regulation need not negatively impact the existing structure and resources and, on the contrary, can be especially beneficial as it provides a better understanding of the type of data being processed and oftentimes allows for further analysis of data on the business itself. Creating a RoPA and keeping it up to date, while identifying the legal basis of the various processing activities also ensures that any requests from data subjects or the authority will be smoothly handled. It is therefore an opportunity to better grasp the new regulatory regime, while complying with ever increasing compliance obligations.

 

 

Biographies

Adrien Tharin is an experienced legal, regulatory and change management advisor in the financial services industry. He is a Director in the Legal Financial Services Regulatory & Compliance Services practice within PwC Legal Switzerland and is actively involved in the field of regulatory fintech & blockchain, data protection and corporate matters.​

Cecilia Peregrina is a legal expert in Legal and Regulatory matters with more than 15 years of practice in the field of asset management. She joined the legal practice of PwC Switzerland in 2022 and is advising clients in legal, regulatory and licensing matters.

Anouk Geene is a legal expert in Data Protection and a member of PwC Legal Switzerland's Data Privacy | ICT | Implementation+ practice. She advises clients on all aspects of data privacy and governance and their data protection compliance implementation journey.