AFBS Comment: Data Protection Ordinance

This is a list of points that were identified by the representatives of the AFBS members during a Roundtable in August 2021. Speakers from Oberson Abels SA presented the draft ordinance and discussed points of potential interest to the foreign banks.

Data Protection Ordinance

Art 3 Par 1

The wording in German is more restrictive than in French and Italian. The German text restricts the specific requirement to automated processing of personal data, which the French and Italian version do not. This lack of consistency needs to be avoided as it entails legal uncertainty. The three language versions need to clarify that logging obligations apply only in case of presence of high risk with automated processing of personal data, but not in any case. Therefore, the text in French and Italian needs to be amended.

1Ergibt sich aus der Datenschutz-Folgenabschätzung, dass bei der automatisierten Bearbeitung von Personendaten trotz der vom Verantwortlichen vorgesehenen Massnahmen noch ein hohes Risiko …

1Lorsque l'analyse d'impact sur la protection des données révèle que, malgré les mesures prévues par le responsable du traitement, le traitement automatisé de données personnelles envisagé présente encore un risque élevé …

1Se dalla valutazione d'impatto sulla protezione dei dati emerge che, nonostante i provvedimenti previsti dal titolare del trattamento automatizzato dei dati di persona, sussiste ancora un rischio elevato per la personalità o i diritti fondamentali delle persone interessate, …

Art 3 Par 4

The Paragraph lacks legal basis and shall therefore be deleted. There is no point in restricting access to protected data which is, in any case, governed by the DPA and therefore subject to clear rules. Data controllers shall not be precluded from using the protocols as long as they respect the requirements of the revised DPA.

Art 4

The Article requires the drafting of a registry of processing activities. A similar requirement is defined in Art 12 DPA. There is no plausible reason for the Ordinance to repeat obligations outlined in the Law already. Doing so bears the risk of inconsistency, confusion, and contradiction.

Furthermore, there is no legal provision requesting the drafting of a registry of processing of private persons' data. The listing contained of registration duties of Art 12 applies to all instances of data processing. This is sufficient.

The entire article shall be deleted as it duplicates Art 12 DPA.

Art 8

Art 16 DPA identifies the Federal Council in charge of identifying those jurisdictions / international organisations which offer adequate measures of data protection and therefore qualify for data disclosure. Therefore, Art 8 DPO shall specify that it is the Federal Council that needs to perform the assessment of the jurisdictions / international organisations and that it needs to take into account the ensuing list of criteria for the adequateness assessment.

It must be clear that the Federal Council's decision regarding adequateness of the measures of data protection of a country / international organisation is definitive and does not trigger further control measures by the exporter.

1Zur Beurteilung, ob Personendaten ins Ausland bekanntgegeben werden dürfen, prüft der Bundesrat, ob ein Staat, ein Gebiet, einer oder mehrere spezifische Sektoren in einem Staat oder ein internationales Organ einen angemessenen Datenschutz gewährleisten. Er berücksichtigt dabei namentlich folgende Kriterien:

6Der Bundesrat konsultiert den EDÖB wirdkonsultiert.

1Pour l'évaluation de l'admissibilité du transfert de données à l'étranger, le Conseil fédéral examine, si un Etat, un territoire, un ou plusieurs secteurs déterminés dans un Etat, ou si un organisme international garantit un niveau de protection adéquat. Il prend en compte notamment les critères suivants:

6Le Conseil fédéral consulte le PFPDT est consulté ….

1Per valutare se la comunicazione dei dati all'estero è ammissibile, il Consiglio federale esamina, se uno Stato, un territorio, uno o più settori di uno Stato o di un organismo internazionale garantisce una protezione adeguata dei dati. Prendevanno segnatamente presi in considerazione i seguenti criteri:

6Il Consiglio federale consulta l'IFPDT è consultato ….

Art 13

The data processor cannot be expected to comply with an obligation of information as extensive as drafted in Art 13 Par 1. It does not have information on the subjects to be informed and may even not be aware of what information it is legally entitled to provide and to whom. Requesting the data processor to provide information which the controller can potentially provide itself furthermore bears the risk of duplicate information being issued. This can lead to contradictions.

Paragraph 2 shall be deleted. It is difficult to understand and does not add value. There is no information on what a machine-readable pictogramme is.

A separate paragraph shall provide clarity on how to provide information to the concerned persons on the processing of personal data. This requires legal clarity. The topic is complex, various solutions are available. Clear and unequivocal guidance in Law and Ordinance can contribute to assure clarity and consistent practice. This brings legal certainty which is in the interest of all.

Therefore, Art 13 shall be worded as follows:

1Der Verantwortliche teiltund der Auftragsbearbeiter teilen die Information über die Beschaffung von Personendaten in präziser, verständlicher und leicht zugänglicher Form mit.

2Teilt er die Informationen in Kombination mit Piktogrammen mit, die elektronisch dargestellt werden, so müssen diese maschinenlesbar sein.

3Der Verantwortliche kann die Information auf einer Website verfügbar machen. Die Website muss einfach zugänglich sein und der Verantwortliche teilt den betroffenen Personen deren Adresse mit.

1Le responsable du traitement et le sous-traitant communiquent les informations sur la collecte de données personnelles de manière concise, compréhensible et facilement accessible.

2Lorsque l'information se fait en combinaison de pictogrammes, ceux-ci doivent être lisibles par machine s'ils sont présentés par voie électronique.

3Le responsable du traitement peut mettre à disposition l'information sur un site web. Le site web doit être facile d'accès et le responsable communique son adresse aux personnes concernées.

1Il titolare del trattamento e il responsabile comunicano le informazioni sull'ottenimento di dati personali in forma precisa, comprensibile e facilmente accessibile.

2Se le informazioni sono comunicate in combinazione con pittogrammi rappresentati in forma elettronica, questi ultimi devono essere leggibili a macchina.

3Il responsabile del trattamento può mettere a disposizione l'informazione su un sito web. Questo sito web dev'essere facile d'accesso e il responsabile del trattamento comunica il suo indirizzo alle persone colpite.

Art 18

The Article needs to clarify that the storage in writing / in print is not the only way, but that alternative means of text storage are available for the documentation of the data protection impact assessment.

Furthermore, there is no legal basis for the impact assessment to be stored for two years beyond end of processing.

Der Verantwortliche muss die Datenschutz-Folgenabschätzung schriftlich oder in einer anderen durch Text nachweisbaren Form festhalten. Sie muss während zwei Jahren nach Beendigung der Datenbearbeitung aufbewahrt werden.

Le responsable du traitement consigne par écrit ou sous une autre forme de texte traçable l'analyse d'impact relative à la protection des données personnelles. Elle est conservée pendant deux ans après la fin du traitement des données.

Le responsable du traitement consigne par écrit l'analyse d'impact relative à la protection des données personnelles. Elle est conservée pendant deux ans après la fin du traitement des données.

Il titolare del trattamento redige per scritto o in un altro formato di testo rintracciabile la valutazione d'impatto sulla protezione dei dati. Quest'ultima è conservata per due anni dopo la fine del trattamento.

Art 19 Par 3

The data controller must not be obliged to communicate extensively and in detail about the remediation measures adopted to mitigate future incidents. This information belongs to the realm of the data controller. Its dissemination merely facilitates future attacks.

3Der Verantwortliche teilt den betroffenen Personen in einfacher und verständlicher Sprache mindestens die Informationen nach Absatz 1 Buchstaben a, e und f und g mit.

3Le responsable du traitement communique à la personne concernée, dans un langage simple et compréhensible, au moins les informations visées à l'al. 1, let a, e et f et g.

3Il titolare del trattamento comunica alla persona interessata in una lingua semplice e comprensibile almeno le informazioni di cui al capoverso 1 lettera a, e e f e g.

Art 19 Par 5

The Paragraph 5 lacks legal basis. It is therefore to be deleted.

If it is to be maintained, it needs to clarify that the data controller can only provide information on points it is aware of. The data controller cannot be expected to perform investigation beyond its own realm

5Der Verantwortliche muss die Verletzungen dokumentieren. Die Dokumentation muss alledie mit den Vorfällen zusammenhängenden Tatsachen, deren Auswirkungen und die ergriffenen Massnahmen enthalten. Sie ist ab dem Zeitpunkt der Meldung nach Absatz 1 mindestens drei Jahre aufzubewahren.

5Le responsable du traitement document les violations. La documentation contient tous les faits relatifs aux incidents, à leurs effets et aux mesures prises. Elle est conservée pendant au moins trois ans à compter de la date d'annonce, au sens de l'al. 1.

5Il titolare documenta le violazioni. La documentazione contiene tutti i fatti legati agli eventi, le loro conseguenze e i provvedimenti adottati. Deve essere conservata per almeno tre anni dalla notifica secondo il capoverso 1.

Art 48

The present legislation is complex and impacts a broad range of services within the individual firms. The individual measures to be adopted are dependent on each other; there are links between different prescriptions. It imposes extensive amendments of processes and procedures. To assure a holistic approach is possible when implementing the new regulation, the date of entry into force should leave sufficient time for transition and be the same for the entire text.

Entry into force of the DPA and DPO shall be on 1 January 2023 at the earliest.

22 October 2021
/