This article will examine the obligations of the financial services provider[1] to allow their clients access to a copy of their file or any other document relating to the established business relationship within the meaning of the Financial Services Act (“FinSA”) and under the Swiss Federal Data Protection Act (“FADP”).
Introduction
In our increasingly digital world, data determines our lives, at all times and everywhere. Individuals therefore have a strong interest in knowing that the protection of their data is respected and ensured. Particularly banks, which can look back on a long tradition of discretion and confidentiality, are aware that detailed information about a person’s financial situation is among the most sensitive data that can be disclosed.
The FinSA, which came into force at the beginning of 2020, is aimed, among other things, at improving the protection of clients of financial services providers. To achieve this objective, a number of rules have been enacted, including the right for the client to receive a copy of their file and all other documents relating to them.
This right corresponds to what already exists within the meaning of Article 400 of the Swiss Code of Obligations (“CO”), which deals with the Agent's obligation to be accountable to his client[2]. However, under the CO, certain internal documents, such as draft contracts, memoranda, preliminary studies, are subject to a weighing of interests between the client's interest in providing the documents and the Agent's interest in maintaining secrecy[3]. The new law thus has the advantage of applying without needing to weigh up the respective interests.
The aim of the new regulation is to improve client protection in the Swiss financial market, while strengthening the competitiveness of the Swiss financial centre, as well as to secure access to the European market by adopting rules equivalent to those of the European Union (EU) MiFID II Directive.
It is in the light of FinSA and FADP that we are analysing the right of the client of a financial services provider to obtain information on the data collected and copies of documents concerning the client.
Data Protection Principles in Switzerland
The FADP requires that personal information must be:
- used lawfully, fairly and transparently;
- collected only for valid purposes and not used in a way incompatible with those purposes;
- relevant to the particular purposes;
- accurate and kept up to date; and
- kept securely.
The FADP has been completely revised and now approved by both chambers of the Swiss Parliament. It should enter into force in 2022.
The revision leads to an overall alignment with the European standard. The revised ordinance is now awaited for consultation (probably in the first quarter of 2021)[4]. But it's safe to say that companies that apply the European General Data Protection Regulation standard today will have no trouble implementing the revised FADP tomorrow.
Data collected about the Client
A financial services provider may collect and process personal data about the client in order to on-board them, manage the business relationship and facilitate the provision of services or any ancillary services related thereto as part of the business activities[5].
As an example, a bank may collect, use and transfer the following kinds of personal data about the client[6]:
- Identity data : name, marital status, date of birth, gender, copies of passports.
- Contact data: work and business addresses, billing addresses, email and phone numbers.
- Financial data: bank account details, financial status and history.
- Professional data: information about the business such as the company name and contact person.
Provision of Documents under FinSA
Article 72 FinSA provides that the client is entitled at all time to receive a copy of their file and all other documents relating to the client that the financial service provider has prepared within the context of their business relationship.
The question arises as to exactly what documents the client is entitled to and, in particular, what is meant by "all other documents".
This provision covers all documents, regardless of the support and form (document, file, data, on paper or electronically), containing decisive information that the financial services provider is obliged to maintain on the basis of section 15 FinSA[7]. This means that the financial service provider is obliged to properly document:
- the financial services agreed with the clients and the information collected about them (let. a);
- the information that an appropriateness or suitability assessment will not be performed or the fact that the financial services provider has advised the client against availing of the service (let. b); and
- the financial services provided to the client (let. c).
When providing investment advice, the financial service provider shall also document clients' needs and the grounds for each recommendation leading to the acquisition or disposal of a financial instrument[8].
Article 73 FinSA deals with the applicable procedure. It provides that the client must assert their right in writing or in any other form that allows. The financial services provider must hand over the documents within 30 days of receiving the request from the client.[9]
With this new right, the provider cannot refuse to hand over the documents even if it is a matter of safeguarding its own interests.
The Swiss authorities justified the importance of these provisions by the fact that they fill a gap in the law regarding the protection of the client[10].
We now analyse whether this is the case in light of the rules already in place when the law came into force, and in particular the FADP.
Data Protection Law
Data protection aims to protect the right to information self-determination. This refers to the concept that every citizen should be able to determine for themselves the disclosure and the use of their own data. Personal data protection law therefore gives citizens various possibilities for exercising their privacy rights against those processing their data, under certain circumstances.
Right to information
Article 8 FADP sets out the so-called right to information. Any person may request information from the controller of a data file as to whether and which data relating to them is being processed. The corresponding information must normally be provided in writing and at no cost[11]. By way of exception, the payment of an appropriate share of the costs may be requested if (i) the applicant has already been provided with the requested information in the twelve months prior to the application and no legitimate interest in the further provision of information can be proven. A legitimate interest is constituted in particular if the personal data has been modified without notice being given to the data subject or if (ii) the provision of information entails an exceptionally large amount of work[12].
The provision of information can only be refused or restricted if a formal enactment so provides or it is in the overriding interests of third parties (Article 9 FADP). In all other cases, the controller of a data file must provide complete information and also provide details about the source and purpose of the processing.
Duty to provide information
In connection with the right to information, the FADP recognises the so-called duty to provide information. If particularly sensitive personal data and personality profiles are collected, the affected natural persons are to be actively informed thereof by the controller of the data file[13]. This includes the purpose of the processing, and in the event of disclosure, the data recipient.
According to the case law of the Federal Court, the bank is obliged to provide the client with information on personal data concerning him pursuant to article 8 FADP, irrespective of the legal nature of the relationship between the client and the financial services provider[14].
The revised FADP extends the duty to inform. The duty to inform will apply to any collection of personal data (and not only to the collection of sensitive personal data). According to the revised FADP, the data subject must be informed at least of the identity and contact details of the controller, the purpose of the processing and, where appropriate, the recipients or categories of recipients of the personal data[15].
Data security
In the age of mobile banking and payment apps, countless banking clients use their computer or smartphone on a daily basis to access their account or credit card information. Dealing with security vulnerabilities therefore represents a particular challenge.
Article 7 of the FADP sets forth that personal data must be protected against unauthorised processing through adequate technical and organisational measures.
A person wishing to access information relating to them on the basis of article 8 FADP must make a request, generally in writing, and may assert this right without demonstrating any particular interest.
The controller of the file, in our case the financial service provider, is obliged to communicate the information to the client (or its refusal) within 30 days of receipt of the request. However, the financial service provider has a right to extend this period upon notification to the client of the delay and the amount of extra time that will need to be taken[16].
Conclusions
We see that FinSA contains specific requirements relating to data protection; which apply in addition to the FADP and can overlap with the provisions under the FADP. For example, the entitlement of clients to receive a copy of all documents that the financial services provider has prepared within the context of their business relationship set out in section 72 FinSA, generally corresponds to section 8 FADP, which governs the right to information and therefore also the duty to provide information with regard to personal data.
While, at first glance, the client's right to the handing over of documents under the new FinSA seemed somewhat superfluous, a more in-depth analysis shows that it actually makes it possible to fight against a certain legal insecurity and to ensure equality of treatment among the various financial service providers. Legal insecurity stems in particular from the unclear scope of the right of access to personal data provided for in the FADP.
The right to the handing over of documents according to FinSA is applicable and, if necessary, enforceable in summary proceedings. If the Financial Service Provider refuses to comply, this may be taken into account in subsequent proceedings when deciding on the costs of the trial.[17] By providing an autonomous procedure for the handing over of documents, the FinSA goes further than the FADP. It remains to be seen how this provision will be put into practice.
Our Experience
lecocqassociate provides a full range of financial regulatory, corporate and commercial advice in relation to the structuring and incorporation of entities. The group is gaining a reputation for outstanding service in the areas of data protection and online reputation management, as well as cyber security, blockchain and crypto asset regulation.
This newsletter is for information purposes only. It does not constitute professional advice or an opinion. Please contact us for any questions.
Footnote
[1] Financial service providers are persons who provide financial services on a commercial basis in Switzerland or for clients in Switzerland, with the criterion of a commercial basis being satisfied if there is an independent economic activity pursued on a permanent, for-profit basis (section 3 let. d FinSA);
[2] DFF, Rapport explicatif, p. 79. ; ATF 139 III 49, consid. 4.
[3] HK Privatrecht, Gehrer Cordey/Giger, CO 400 N 3.
[4] Eleonor Gyr, la nouvelle loi sur la protection des données, Swissbanking, 10 décembre 2020.
[5] FF 2015 8159.
[6] Union Bnacaire Privée, UBP SA, Privacy Notice for Counterparties V2.0, July 2019.
[7] FF 2015 8194 ; DFF, Rapport explicatif, p. 79.
[8] Article 15 FinSA; FF 2015 8159.
[9] Article 73(2) FinSA.
[10] DFF, Rapport explicatif, p. 79; FF 2015 8194
[11] Rudin, Datenschutzgesetz, LPD 8 N 57.
[12] Article 2 Ordinance to the Federal Act on Data Protection
[13] Article 14 FADP.
[14] ATF 138 III 425, SJ 2013 I 81, consid. 4 ss ; DFF, Rapport explicatif, p. 79.
[15] Eleonor Gyr, la nouvelle loi sur la protection des données, Swissbanking, 10 décembre 2020.
[16] Section 1 para. 4 Ordinance of the FADP.
[17] FF 2015 8124