The new Data Protection Act in Switzerland

Data in the financial sector is among the most sensitive and regulated in Switzerland. The new Data Protection Act will introduce new requirements.

Data in the financial sector is one of the most sensitive and highly regulated areas in Switzerland. The statutory and regulatory landscape in the financial sector is complex. Requirements are found in the Data Protection Act, the Banking Act, the Anti-Money Laundering Act as well as FINMA circulars. The latest change is the enactment of the new Data Protection Act (nDPA) on 1 September 2023. It introduces significant changes to strengthen data protection regulations in Switzerland. While the fundamental principles of Swiss data protection law remain unchanged, there are important amendments that will impact the financial sector.

This article highlights three key changes, their implications, and the challenges they pose for financial institutions.

Andreas Hagi

Director, Financial Services

KPMG Switzerland

Francesco Gaetano Fazzi

KPMG Switzerland

Overview of the most important changes for financial institutions as of 1 September 2023

1. From principles to rules: organizational and technical measures

The European Union's (EU) General Data Protection Regulation (GDPR) has been a pioneering force in global data protection legislation, significantly impacting the financial sector by elevating data protection measures, transparency and accountability in handling customer data. With this in mind, financial institutions may mistakenly assume that their GDPR compliance will seamlessly translate to compliance with the nDPA. However, this assumption overlooks a crucial distinction between the two regulations. While the GDPR relies more on guiding principles, the nDPA adopts a rule-based approach, establishing explicit expectations for data controllers and processors through the new Data Protection Ordinance (nDPO).

The nDPO extends the scope of organizational and technical measures that data controllers and processors must implement to ensure that data security is commensurate with the processing risks. Additionally, it mandates appropriate measures to guarantee data confidentiality, availability, integrity and transparency. Financial institutions, as data controllers and processors, face the challenge of adapting their existing GDPR-compliant frameworks to meet the more stringent and precisely defined requirements of the nDPA.

Despite both regulations aiming to safeguard data privacy, the nDPA's rule-based structure offers financial institutions enhanced legal security compared to the GDPR's principle-based approach. The clearly outlined guidelines in the nDPO leave minimal room for interpretation or ambiguity, resulting in less uncertainty and legal risks for organizations. However, to ensure data protection excellence in the Swiss financial landscape, financial institutions must navigate the complexities of aligning their data processing practices with the specific provisions of the nDPA, which requires careful assessment, meticulous adjustments and rigorous compliance.

2. Aligning with the GDPR: record of processing activities

The nDPA has made significant strides in aligning data protection regulations with the GDPR by introducing the requirement for organizations to maintain a comprehensive Record of Processing Activities (ROPA), similar to the GDPR's Article 30. This record serves as an inventory detailing all data processing activities conducted by the organization. It includes information such as the purposes of data processing, the categories of data processed, recipients of data, data retention periods, and details of any data transfers. By mandating this record, the revised DPA enhances transparency and accountability, enabling organizations to demonstrate compliance with data protection principles and facilitating cooperation with supervisory authorities in case of investigations or audits.

Establishing a ROPA retroactively, particularly for large organizations such as financial institutions operating across borders, can be a daunting and challenging task. The ROPA is a comprehensive inventory that documents all data processing activities, including purposes, categories of data, recipients and transfers, among other details. For large organizations that have been processing data for years without maintaining such records, the process of retroactively creating a ROPA can be overwhelming due to the sheer volume and complexity of data processing activities involved. Data might be scattered across various departments and systems, making it difficult to track and gather all relevant information accurately.

Additionally, large organizations often deal with a wide range of data processing operations across different business units and jurisdictions, which further complicates the retroactive ROPA creation process. Identifying all data processing activities, understanding their context and documenting them thoroughly requires significant resources, time and collaboration across various departments. The lack of a pre-existing ROPA can lead to challenges in retrieving historical data processing information and potential discrepancies in the records, potentially exposing the organization to compliance risks.

Overcoming these difficulties necessitates a comprehensive data mapping exercise and close coordination between legal, IT and data protection teams. Large organizations may need to invest in specialized tools and resources to streamline the process and ensure accuracy. Despite the challenges, establishing a ROPA is crucial for compliance with data protection regulations, and demonstrates an organization's commitment to data transparency and accountability. It enables organizations to manage data more efficiently, minimize privacy risks and build trust with data subjects and regulatory authorities.

3. A new approach to sanctions: fines for violations against individuals

The extraterritorial application of the nDPA is a significant step towards aligning with the GDPR in terms of jurisdiction. Similar to the GDPR's scope, the nDPA now applies to data controllers and processors located outside Switzerland if they receive data from Swiss residents or individuals. This extension of territorial reach ensures that organizations abroad that handle Swiss data must also comply with the nDPA requirements, providing enhanced protection to Swiss data subjects regardless of where their data is processed.

However, there is a notable difference in the enforcement of sanctions between the two regulations. Under the GDPR, data protection authorities in each EU member state have the authority to impose fines for violations against organizations, and the maximum fines can be up to 20 million euros or 4% of the global annual turnover, whichever is higher. In contrast, under the nDPA, sanctions for non-compliance are enforced through the criminal law regime against individuals, and fines can go up to 250,000 CHF. 

These fines will be issued by public prosecutors, potentially leading to sanctions being enforced beyond Switzerland's borders, in contrast to GDPR fines, which are solely within the jurisdiction of EU member states' data protection authorities. Data protection-related investigations can be initiated on request by any data subject or by the Federal Data Protection and Information Commissioner (FDPIC) itself.

This difference in the enforcement mechanism can have implications for how violations are pursued and penalties applied. While GDPR fines are imposed by specialized data protection authorities, the nDPA allows public prosecutors to handle violations. As a result, organizations such as financial institutions handling Swiss data outside Switzerland must be aware of the potential enforcement actions and legal consequences in various jurisdictions, depending on the location of the violation.

Next steps

As the nDPA is on the verge of enactment, it's a timely opportunity for organizations to review and potentially enhance their data governance. This step is essential to ensure compliance with pending legislation and to help protect individual data privacy rights. To accomplish this, organizations should conduct a comprehensive assessment of their existing data processing practices, identify areas that need adjustment, adjust their policies accordingly and ensure the implementation of the legally required organizational and technical measures. 

This process should involve stakeholders from various departments, including IT, legal, compliance and senior leadership. By taking these measures, organizations can demonstrate their commitment to responsible data processing, adapt to the evolving landscape of data protection and foster a culture of transparency and compliance throughout the organization.

KPMG Switzerland is a leading expert in guiding financial institutions to achieve compliance with both the nDPA and the GDPR. With extensive experience in the field, we offer tailored solutions, ensuring robust data protection measures and enhanced transparency. Our proven track record makes us a trusted partner for seamless compliance in the Swiss financial industry.