The Impact of the revised Data Protection Act on Outsourcings by Swiss Financial Institutions

On 25 September 2020, the Swiss parliament adopted the entirely revised Data Protection Act (revDPA), which largely follows the regime provided by the EU General Data Protection Regulation (GDPR) with very limited Swiss finishes. On 3 March 2022, the target date for entering into force of the revDPA has been set for 1 September 2023. The revDPA will be very relevant for Swiss financial institutions, which are already today subject to a multitude of regulations, including regulations that (partially) govern processing of personal data and outsourcing. However, the revDPA will govern data processing in a comprehensive manner and impact outsourcings by financial institutions significantly. This article provides guidance to financial institutions which outsource (or desire to outsource) business areas to professional service providers and sets out the most relevant requirements of the revDPA that such institutions need to take into account above and beyond what already applies out of various financial market related regulations to which they are subject to.

By Leo Rusterholz (Reference: CapLaw-2022-15)

1) Data processing and outsourcing rules which already apply to Swiss financial institutions today

a) Data processing regulations 

Swiss financial institutions are already subject to financial market regulations partially covering data processing/protection (in addition to the (current) DPA, which applies on top), as follows:

Banks (including holders of a ‘fintech license’) are in particular subject to: 

(i) banking secrecy (article 47 of the Banking Act) which protects client identifying data/CID (i.e. data directly, indirectly or potentially indirectly identifying bank clients)  from disclosure to third parties such that clear text CID (i.e. CID that is neither anonymized nor sufficiently and properly pseudonymized (with the correlation table retained only by the bank) or encrypted (with the decryption means only at the disposal of the bank) and where the recipient can (re)identify individual bank clients without major efforts) may not be disclosed to an outsourcing service provider without the express consent of each individual client – at least if such provider receives CID abroad (without going into details of the legal doctrine permitting disclosure of CID to Swiss (cloud) providers as agents of the bank). Such consent is customarily procured under the bank’s general terms and conditions; and 

(ii) the FINMA OpRisk Circular (Circular 2008/21), in particular its Annex 3, which specifies detailed measures with respect to the storing, processing and transferring of electronic CID. In case of transferring CID abroad, the related increased risks must be limited and such CID protected adequately.

Financial institutions subject to the Financial Institutions Act (i.e. asset managers, trustees, managers of collective assets, fund management companies and securities firms) are also subject to a professional secrecy obligation (article 69 of the Financial Institutions Act), whereby above remarks on banking secrecy apply mutatis mutandis.

Apart from the obligations of the DPA, which apply to all personal data processed by all Swiss financial institutions, Swiss labour law provisions also provide for data processing limitations with respect to applicants’ and employees’ personal data (article 328b of the Swiss Code of Obligations). Thereunder, applicants’ and employees’ personal data processing is only permitted if necessary for the assessment of job suitability or for the performance of the employment contract. Further processing is only possible (i) to the extent a specific law grants the employer the right to process certain employee data (e.g. tax, healthcare, social security regulation, etc.) or (ii) according to legal doctrine if justified by the employee’s consent, to the extent such consented data processing is solely to the benefit of the employee. Recent case law however suggests that article 328b is only a data processing principle and that the (free and informed) consent may also justify further processing not solely to the employee’s benefit. In any event, the limitations on data processing in the employment context will remain unaffected by the revDPA and must be duly considered, in particular when transferring such protected data within an HR outsourcing. 

b) Outsourcing regulations

Swiss financial institutions are further subject to a variety of outsourcing related regulations, which also vary significantly in their extent depending on the type of financial institution concerned. 

Banks (including holders of a fintech license) are regulated most extensively and are in particular subject to: 

(i) the FINMA Outsourcing Circular (Circular 2018/03), which also applies to insurers, reinsurers, securities firms, managers of collective assets, fund management companies and self-managed investment companies with variable capital (SICAV). It provides for compliance with detailed requirements (when such in-scope institutions outsource a significant business area), including a requirement to keep an inventory of all outsourced services and to conclude a written agreement setting out (among others) security and business continuity requirements, audit and inspection rights and early information on use or replacement of subcontractors (providing significant functions), including a transfer of all of the provider’s obligations to such subcontractor, and related termination rights. Additional requirements apply in case of outsourcing abroad (see 4.). In the course of a major overhaul, all data protection related requirements were removed from this Circular;  

(ii) the FINMA Guidance on the Duty to Report Cyber Attacks (Guidance 05/2020), which applies to all FINMA-supervised institutions, providing for procedures, deadlines (whereby an initial notification to FINMA must be made within 24 hours of the attack) and (minimum) content of notifications related to cyberattacks essential for supervision. If a financial institution outsources essential functions, it is also responsible for notifications of (essential) cyberattacks at its outsourcing service provider (related to such outsourced function).

(iii) three chapters (business continuity management strategy, business impact analysis and business recovery options) of the Swiss Bankers Association’s Recommendations on Business Continuity Management (BCM), which have been recognized by FINMA to constitute a binding minimum standard.

Financial institutions subject to the Financial Institutions Act (even those not already covered by the FINMA Outsourcing Circular) are (also) subject to outsourcing related provisions under articles 14, 27 (applicable only to managers of collective assets), 35 (applicable only to fund management companies), 64 and 68 of the Financial Institutions Act, as more detailed in articles 15-17 of the Financial Institutions Ordinance, which among others also provide for a duty to conclude an agreement with certain minimum content.

2) Rules that Swiss financial institutions will need to comply with under the revDPA

a) Additional (new) rules and obligations

i) Data subjects’ individual rights

Data subjects will continue to have a right to access their personal data. Such right covers access to information on the controller, processed data (including their source, if available), data recipients and processing purpose and under the revDPA also the duration of data retention and the logic behind automated decision making (see below under ii), as applicable. Although access rights already arise out of articles 16 (as more detailed in article 19 Financial Services Ordinance) and 72/73 of the Financial Services Act (which applies to financial service providers, client advisers and producers and providers of financial instruments and sets out among others that clients are entitled to receive a copy of all documents concerning them and prepared within the context of the business relationship), the access right under the DPA/revDPA arguably goes beyond foregoing requirements, such that in essence all documents containing any personal data of the requesting data subject must be disclosed (subject to certain limitations set in the DPA/revDPA and by recent case law as regards fishing expeditions in preparation of litigation for which the access right may not be abused). 

Data subjects will further have a new right to intervene in case of automated decision making (and may generally request to express their point of view and have the decision reviewed by a person) and a new right to data portability (i.e. to receive own personal data in a commonly used electronic format, where the processing is (i) carried out by automated means and (ii) based on consent or occurs in direct connection with the conclusion or performance of a contract; and to request transfer of such data to another controller if it does not involve a disproportionate effort).

Thus, when entering into an outsourcing arrangement, the financial institution must clarify what processes the service provider implements in order to be able to comply with data protection related requests exercised by data subjects of the data it controls (and transfers to the outsourcing service provider for processing). The outsourcing institution should of course also establish a process to address related requests efficiently, including contractual provision of necessary assistance by the outsourcing service provider (as already required under the GDPR for commissioned data processing).

ii) Governance and process rules

The revDPA foresees extended (active) information duties (at the time of collection of personal data): Data subjects must at least be informed about the controller’s identity and contact details; processing purpose(s); in case of disclosure to third parties, recipients (or categories of recipients); in case of disclosure abroad, the jurisdiction where the data is transferred to and implemented safeguards, as applicable; and any decisions solely based on automated data processing and having legal effects or significantly affecting the data subject. Although mostly in line with the GDPR, the revDPA also requires disclosure of every single jurisdiction where personal data is being transferred to, irrespective of whether such jurisdiction provides for adequate data protection legislation or not (Swiss finish). I.e., if in the course of an outsourcing personal data is being transferred to multiple jurisdictions within the EEA (by the service provider), still every single EEA member state needs to be disclosed and therefore the template wording provided by the outsourcing service providers will often need to be (slightly) adjusted. 

The revDPA further introduces a duty to maintain records of data processing activities, which must at least include information on the controller/processor, purpose(s), data categories, recipients and destination jurisdiction. Exemptions apply for companies with less than 250 employees and low risk data processing activity (as further determined in the corresponding ordinance). The GDPR’s corresponding exemption only applies if – further to the revDPA’s prerequisites – data are only processed occasionally and no special categories of data or data relating to criminal convictions and offences are processed. Financial institutions may comply with this obligation by extending the inventory of outsourced services (to be kept in accordance with the FINMA Outsourcing Circular) by the respective information required under the revDPA, which again entails obtaining the relevant information also from the outsourcing service provider. That being said, a lot of information to be maintained in the data processing records must (albeit in much less detail) also be notified to the data subjects, which is customarily done in aggregate by setting the general information out in a publicly available privacy policy. 

Data processing may be assigned to a processor (either) by agreement (or by law). However, under the revDPA, a processor may no longer engage a sub-processor without the prior authorization by the controller (which may be given in general or only with respect to certain pre-approved sub-processors). In contrast to the GDPR, the revDPA does not prescribe any (minimum) content for such data processing agreements or audit rights by the controller. Financial institutions must note that data processing may only be commissioned if no statutory (or contractual) secrecy obligation prohibits such data processing (in particular transfer and disclosure of CID). Existing data processing agreements must therefore be reviewed and amended, as necessary. That being said, the FINMA Outsourcing Circular already prescribes similar requirements and therefore, for a large amount of financial institutions (in scope of the Circular), no additional obligations may arise out of the revDPA (in particular as it prescribes no minimum content). 

Under the revDPA, controllers must perform a Data Protection Impact Assessment (DPIA) (including a description of the envisaged processing and an assessment of risks and protective measures) whenever it appears that an envisaged data processing activity is likely to lead to a high risk to personality or fundamental rights of data subjects (e.g. in case of processing of sensitive personal data on a broad scale). The controller must generally consult with the Federal Data Protection and Information Commissioner (FDPIC) prior to such processing, if the DPIA indicates that the contemplated processing may be of a high-risk nature despite any measures taken. Outsourcing of general business processes may often not justify a DPIA, however depending on the outsourced activity concerned, a DPIA may become necessary.

Data breaches that are likely to lead to a high risk to the personality or fundamental rights of the data subject(s) concerned must be notified to the FDPIC as quickly as possible (contrary to the GDPR which prescribes a 72-hour period, where feasible) including the type of breach, its consequences and implemented (or planned) measures. If necessary for the protection of the data subject(s) or if requested by the FDPIC, the respective data subjects must also be notified. Again, a more detailed data breach notification (including binding deadlines) is already provided for under the FINMA Guidance 05/2020, such that for all FINMA-supervised financial institutions, no additional requirements as regards subject matter (the FINMA Guidance 05/2020 even applies to (essential) cyberattacks related to non-personal data) and process may actually arise (since many data breaches under data protection legislation will arguably arise following a cyberattack; that being said, an accidental disclosure of personal data to unauthorized third parties without any actual attack is still a data breach under relevant data protection laws). The recipient of the data breach notification is however different (on one hand FINMA and FDPIC and data subjects, as applicable, on the other).

b) Reliefs

i) General reliefs

Personal data pertaining to legal entities are no longer in-scope of the revDPA, which corresponds to the GDPR and most foreign data protection laws. It should be noted, however, that whenever dealing with a legal entity, the personal data of employees or other staff acting on the behalf of such legal entity is still personal data of respective individuals subject to the full protection of the data protection laws. Financial institutions should further note that the banking and financial institutions secrecy continues to apply to all types of clients, i.e. also clients that are legal entities.

The obligation to notify (and register with) the FDPIC any data files (i.e. a collections of personal data with a structure facilitating a search for data on a particular individual) if, among others, (clear text) personal data is regularly transferred to a third party (which is the case in most outsourcings) is removed under the revDPA and replaced by the duty to maintain records of processing activities. 

ii) Relief applicable under particular circumstances

To the extent a data protection advisor (who meets certain prerequisites set out in the revDPA) has been appointed and notified to the FDPIC, the consultation of such advisor (who may also be a group data protection officer or third party located abroad) may substitute the otherwise required consultation of the FDPIC following a DPIA, as applicable. Contrary to the GDPR, there will be no obligation to appoint a data protection advisor. 

3) Swiss financial institutions already subject to (or compliant with) the GDPR

Many Swiss financial institutions already comply with the GDPR because they are subject to it by way of its extra-territorial application (in particular, if they process personal data of data subjects resident in the EEA while offering financial services to them) or because they are part of an international group, which decided to implement GDPR compliance for all (including its Swiss) group entities in the interest of consistency and scalability. Such institutions have a significant advantage in preparing for compliance with the revDPA since many of the new provisions follow the corresponding provisions of the GDPR (albeit often with a lighter Swiss touch) and the revDPA provides for very limited Swiss finishes as described in this article.

It should, however, be clarified in every outsourcing/data processing agreement that the outsourcing service provider may not process (or sub-process) personal data/client data for its own purposes (in order to avoid that the outsourcing service provider acts as a controller) and that proper references are made to client data as such term is defined and protected by relevant secrecy laws, which definition is (i) different from personal data under the GDPR (Swiss resident data subjects must be captured) and also (ii) wider than personal data under the revDPA (see above b) i)). 

4) Cross-border transfers

Cross-border disclosure to any jurisdiction providing an adequate level of data protection remains permitted under the revDPA. However, the Federal Council (instead of the FDPIC as currently) will decide on the jurisdictions providing such adequate data protection legislation. For transfers to other countries, data exporters may rely on treaties, contractual clauses notified to the FDPIC in advance or pre-approved standard contractual clauses (such as the 2021 SCCs set out in the Annex to the EU Commission Implementing Decision 2021/914, as recognized by the FDPIC subject to certain additions required for compliance with Swiss law) or binding corporate rules (BCR). The duty to notify the FDPIC in case cross-border transfer is based on pre-approved standard contractual clauses or BCR is removed. 

As a notable Swiss finish, every country to which (clear text) personal data is transferred must be disclosed (irrespective of whether or not such destination country provides for adequate data protection legislation – however, if it does not, the risks of transfer in relation to the data protection level in such destination country must also be properly disclosed). Thus, simply stating that e.g. “personal data will be transferred to countries outside the EEA, UK and Switzerland, including the U.S.“, will no longer be sufficient. 

When outsourcing to a jurisdiction not providing for adequate data protection legislation (such as the U.S.) and thereby (clear text) personal data is transferred, the financial institution must (from a data protection perspective) either: obtain the (informed) consent of each data subject individually, or put measures in place to ensure that the data is adequately protected in the relevant jurisdiction (e.g. sufficient contractual guarantees or BCR, whereby the latter is only possible if the outsourcing takes place within a legal entity or among legal entities under common control and if all involved parties are subject to the BCR). However, such data protection related measures substituting the consent arising out of data protection laws will not substitute the necessary consent under applicable secrecy laws (see 1. above). Thus, in most cases if clear text (personal) data of clients is transferred/disclosed to an outsourcing service provider, obtaining consent from such clients with respect to applicable secrecy laws cannot be avoided. It is further important to note the following: Pseudonymized/encrypted data is still personal data for all purposes as regards data processing by the owner of the correlation table/decryption means – only the transfer (and subsequent processing) of pseudonymized/encrypted data to a provider (who does not have access to the correlation table/decryption means) is out of scope of the DPA/revDPA.

Further, while under data protection focused regulations (i.e. DPA/revDPA and the GDPR) only a transfer to a country not providing for adequate data protection legislation triggers additional requirements, under financial market focused regulations for financial institutions, any transfer abroad (even to countries providing for an adequate data protection legislation) triggers the corresponding additional requirements. In particular, the FINMA Outsourcing Circular prescribes that data necessary for restructuring or resolving in-scope financial institutions must at all times be accessible in Switzerland (i.e. actually stored/mirrored in Switzerland). Hosting abroad only, even if access is guaranteed at all times with redundant servers, etc., is not sufficient to meet this requirement.

5) No transitional period

The financial institutions must adapt their data processing activities to the new regime until the revDPA (and the implementing ordinance, which is still being finalized by the Federal Council following the consultation conducted last year) enter into force, as no transitional provisions apply (under the GDPR, a transitional period of two years applied after entering into force of the GDPR). One notable exception to this rule is that the new provision on the duty to conduct a DPIA does not apply to processing activities initiated before the entry into force of the revDPA, provided the purpose of processing remains unchanged and no new personal data is being collected.

In anticipation of the large amount of work also the FDPIC will need to perform related to the revDPA, the budget of the FDPIC has been increased by approximately 1.2m Swiss francs (i.e. 19%) compared to last year, including 7 additional FTEs (increasing the total FTE of the FDPIC to 37). This may also be taken as an indication that the new rules affecting a large amount of companies significantly will be enforced by the FDPIC (whose administrative powers were increased considerably without however having the competence to issue fines) as soon as the revDPA enters into force.

Leo Rusterholz (leo.rusterholz@lenzstaehelin.com)