Navigation

Message
Privacy and data protection

Privacy and data protection

Discretion, confidentiality and data protection are and will remain core competencies of Swiss banking. Here is an overview of the relevant legal provisions in Switzerland as well as current developments.

Current developments

Revision of the Federal Data Protection Act (FADP)

The Federal Data Protection Act (FADP) is to be adjusted in line with the changed technological and societal conditions. The Federal Council submitted a corresponding dispatch in September 2017. According to the National Council’s Political Institutions Committee (PIC-N) decision, the full revision will now, however, be conducted in two stages.

In a first step, only the Schengen acquis in the area of criminal law and with regard to the processing of personal data is to be further developed (adoption of the EU Directive 2016/680). The corresponding decrees are expected to come into force in the first half of 2019.

In a second phase, the Swiss data protection law is to be more closely aligned with the provisions of the revised General Data Protection Regulation (GDPR). The objective of this revision is to uphold the existing adequacy decision of the European Commission. With this, Swiss data protection legislation will be acknowledged as having a GDPR-equivalent level of protection, which is indispensable in particular from an industry perspective and will only then allow for the unimpeded flow of information between Switzerland and the European Union. When the so-called “GDPR” segment can be put into effect is as yet unknown.

In general, industry’s assessment of the Federal Council’s draft data protection law has been positive. The draft is risk-based, technology-neutral, retains the company data protection officer and reinforces self-regulation by means of a voluntary code of conduct. In the parliamentary debate, attention should, however, be paid that Switzerland does not introduce any rules that are stricter than necessary (a “Swiss finish”). Furthermore, the duties to provide information and the impact assessment instrument, among other things, should be rendered more practicable for companies. The SBA will therefore continue to closely follow the FADP revision together with economiesuisse.

The European Union’s new General Data Protection Regulation (GDPR)

The GDPR became directly applicable on 25 May 2018. It reinforces the rights of natural persons in terms of control over their personal data. The regulation is binding for all member states of the European Union, some of which have already passed transposition laws to this end. However, the GDPR also has an extraterritorial impact. A large number of companies in Switzerland will therefore have to adhere to both the provisions of the Swiss Federal Data Protection Act, which is under revision, as well as those under the GDPR. New provisions often entail legal uncertainties. The Federal Data Protection and Information Commissioner (FDPIC) and law firm Homburger, for example, have both published analyses regarding the ramifications of the GDPR for Switzerland; these are, however, not conclusive.

Electronic identity (e-ID)

The Federal Council is currently developing the legal foundation for a state-recognised electronic identity (e-ID). The so-called e-ID law will create a legal and standardisation framework for the recognition of e-ID systems and ID providers. The concrete objective is for suitable private sector providers to be authorised by the Swiss government to issue e-IDs and operate e-ID systems.

The SBA explicitly supports the division of responsibilities between the government and the market foreseen by the Federal Council.

The involvement of the private sector is essential for the success of the e-ID. The private sector has the technological expertise and the necessary customer proximity to ensure the rapid dissemination of the e-ID nationwide, which will make this financially attractive for the sector. The banks will be particularly important here, as their mobile banking systems are used daily by millions of bank customers to identify themselves securely and in a user-friendly manner.

The e-ID will, however, only prevail if users can trust that all information used is subject to sound privacy rules.

Payment Services Directive (PSD2)

With round two of the Payment Services Directive, or PSD2 for short, the EU is reshaping the rules of the game in banking, and in particular for payment transactions. The directive, among other things, obliges banks in the EU to give third parties access to bank accounts.

The SBA rejects an equivalent regulation for the Swiss financial centre. It is not least of all the security concerns that result in the conclusion that Switzerland should forego an opening of access rights for third parties to which it is compelled by the government.

The issue of the security of customer data plays a key role in electronic banking. The highest level of security can, however, only be guaranteed if there is collaboration between the customer and the bank. A one-sided opening, on the other hand, is dangerous, because it does not fully address bank-specific security principles, which can result in security gaps.

Federal act on financial services (Financial Services Act, FinSA)

The planned FinSA also contains specific requirements relating to data protection; these apply in addition to the FADP and can overlap with the provisions under the FADP. For example, the entitlement of customers to receive a copy of all documents that the financial services provider has prepared within the context of their business relationship set out in Art. 75 E-FinSA, generally corresponds to Art. 8 FADP, which governs the right to information and therefore also the duty to provide information with regard to personal data.

Data protection

The protection of privacy is a human need. According to Art. 13 of the Swiss Federal Constitution, every person therefore has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications and – in the broader sense – the right to be protected against the misuse of their personal data.

In our increasingly digital world, data determine our lives, at all times and everywhere. Once saved, information remains on the Internet for a very long time and can therefore potentially also be used for purposes that do not correspond with the wishes of the user. Companies as well as private individuals therefore have a strong interest in knowing that the protection of their data is respected and ensured. Particularly banks, which can look back on a long tradition of discretion and confidentiality, are aware that detailed information about a person’s financial situation is among the most sensitive that can be disclosed.

Data protection law

In Switzerland, the Federal Act on Data Protection (FADP) protects the privacy and the fundamental rights of natural and legal persons when their data is processed. It sets out the requirements for permissible data processing in accordance with the rule of law and therefore protects against possible abuses. It lays down the principle that not more client-related information than required may be collected (principle of proportionality and data minimisation).

Data protection aims to protect the right to informational self-determination. This refers to the concept that every citizen should be able to determine for themselves the disclosure and the use of their own data. The data protection law therefore gives citizens various possibilities for exercising their privacy rights.

Right to information

Art. 8 FADP sets out the so-called right to information. Any person may request information from the controller of a data file as to whether and which data concerning them is being processed. The corresponding information must normally be provided in writing and at no cost. The provision of information can only be refused or restricted if a formal enactment so provides or it is in the overriding interests of third parties (Art. 9). In all other cases, the controller of a data file must provide complete information and also provide details about the source and purpose of the processing.

Duty to provide information

In connection with the right to information, the FADP recognises the so-called duty to provide information. If particularly sensitive personal data and personality profiles are collected, the affected natural persons are to be actively informed thereof by the controller of the data file. This includes the purpose of the processing, and in the event of disclosure, the data recipient.

The provisions under the data protection law apply only to the processing of so-called personal data. This is defined as all information relating to an identified or identifiable person (for example the IP address). Conversely, the FADP is not applicable to information of natural persons that is processed by a natural person exclusively for personal use and which is not disclosed to third parties.

Data security

In the age of mobile banking and payment apps, countless bank customers use their computer or smartphone daily to access their account or credit card information. Dealing with security vulnerabilities therefore represents a particular challenge. This applies even more so when vulnerabilities in the safety precautions damage not only the affected institutions, but at the same time also the reputation of the financial centre as a whole. The banks react to this by identifying new risks in a targeted manner and trying to limit these. In addition, the issue of data protection and the aspect of data security are increasingly being discussed and resolved on by the Boards of Directors and Executive Boards of banks.

In Art. 7 of the FADP, the data protection law sets forth that personal data must be protected against unauthorised processing through adequate technical and organisational measures. A supervisory definition of the concept of data security for banks can be found in FINMA Circular 2008/21 “Operational risks”. Annex 3 of the circular sets out nine principles for the proper management of electronic client data (so-called “client identifying data”, CID). The requirements are primarily technical in nature and cover, among other things, the issues of managing an independent supervisory body, appropriate security standards for infrastructure and technology, as well as risk identification and control in relation to CID confidentiality. Banks are therefore required to establish a comprehensive framework for ensuring the confidentiality of client data in the digital world.  

Bank-client confidentiality

Bank-client confidentiality (Art. 47 of the Banking Act) is comparable to the professional duty of confidentiality and as such, equivalent to that of doctors or lawyers. It aims to protect financial privacy and protects all conclusions of fact, value judgements and other information (including personal evaluation results) that can be attributed to a bank customer. Bank-client confidentiality therefore goes further than the data protection law. Contrary to a widely held belief, however, it does not apply without limitation. Criminals in particular are not protected by bank-client confidentiality, which was introduced in 1934. For

  • civil proceedings (for example pertaining to inheritances or divorces),
  • debt recovery and forced liquidation proceedings,
  • criminal proceedings (particularly also in the case of tax fraud),
  • proceedings by the supervisory authority, as well as
  • proceedings relating to the cross-border exchange of information,

the banks have since been required to disclose information about customers. Nevertheless, bank-client confidentiality has in recent years – particularly as it relates to tax matters – undergone a far-reaching transformation. Driven by developments at the international level, greater importance has also been given to transparency in Switzerland vis-à-vis tax and supervisory authorities.

Automatic exchange of information (AEOI)

Since 1 January 2017, the Swiss banks have been implementing the automatic exchange of information (AEOI) with countries abroad. The AEOI governs how the tax authorities of participating countries exchange information regarding taxpayers’ accounts and safekeeping accounts. Switzerland is particularly impacted by the AEOI, as over one-quarter of global cross-border assets are managed in our country. The Swiss government and the banks have therefore strongly advocated within the OECD for the most practicable and fair design of the AEOI standard; this also includes the emphatic demand for sufficient data protection.

Foreign Account Tax Compliance Act (FATCA)

Increased transparency requirements also apply vis-à-vis the US. FATCA is a unilateral US tax law with extraterritorial effect, which aims to curb potential tax evasion that is detrimental to the US. It is aimed at financial institutions around the world and requires these to periodically provide the US tax authorities with information about so-called US accounts. Switzerland – like many other countries –concluded an intergovernmental agreement for the facilitated implementation of FATCA. A Swiss FATCA law was then enacted on the basis of this intergovernmental agreement (so-called FATCA Agreement), which has been in effect since 30 June 2014.