On 25 September 2020, the Swiss parliament adopted the entirely revised Data Protection Act (revDPA), which largely follows the regime provided by the EU General Data Protection Regulation (GDPR) with very limited Swiss finishes. On 3 March 2022, the target date for entering into force of the revDPA has been set for 1 September 2023. The revDPA will be very relevant for Swiss financial institutions, which are already today subject to a multitude of regulations, including regulations that (partially) govern processing of personal data and outsourcing. However, the revDPA will govern data processing in a comprehensive manner and impact outsourcings by financial institutions significantly. This article provides guidance to financial institutions which outsource (or desire to outsource) business areas to professional service providers and sets out the most relevant requirements of the revDPA that such institutions need to take into account above and beyond what already applies out of various financial market related regulations to which they are subject to.

By Leo Rusterholz (Reference: CapLaw-2022-15)