Data protection and confidentiality are core principles of Swiss banking

Banks and individuals have a strong interest in the protection of their data being respected and secured. Information about the financial situation of a person is among the most sensitive forms of personal data

Financial institutions need to implement a pragmatic, yet compliant programme to secure personal data and respect both the Swiss Federal Data Protection act and the banking legislation

Data protection is an evolving legal matter

Regular training of employees, careful review of internal processes and transparency of processing can lower the risks of data breaches and misuse of valuable information

BRP Data protection

WHAT ARE YOUR Questions?

BRP SA is here to assist you in managing data protection matters related to the banking industry

click on the icon to discover the answers

Is client data

confidential or sensitive?

Click for answer

Can I delegate

data processing?

click for answer

How do I communicate

about data processing?

Click for answer

Who is allowed

to access the data?

Click for answer

Is consent

always necessary?

Click for answer

Can I retain

personal data for ever?

Click for answer


you are asking yourself

BRP SA is here to assist you in managing data protection matters related to the banking industry

Is client data

confidential or sensitive?

Data undergoes different levels of protection. According to the Swiss Data Protection Act, personal data can be used to identify a specific individual. Sensitive personal data is granted a higher level of protection due to the special (intimate) nature of it (health related data, biometric information, religious or political beliefs, etc) (art. 5ss FADP)

Confidential data processed by the bank may not be personal : e.g. when personal data is anonymized or when the data does not refer to an individual but to business secrets. Bank secrecy hence covers a larger scope of data

Can I delegate

data processing?

Transmission of data is strictly regulated. Personal data can only be shared with third parties, or even subsidiaries if abroad, at certain conditions. The given processing must be subject to obligations, it shall be secure and the data subject must have been informed or has consented to it. The requirements also depend on the country to which the data is to be transmitted

How do I communicate

about data processing?

Individuals can exercise control over their personal data if they are aware that data is being processed about them. They will be able to exercise their right if they are informed of the processing practices. It is therefore compulsory for banks to provide information on data processing, and they must ensure that this information is provided at the time of collection, in a clear and comprehensible format, and that the rights of individuals are clearly set out

Who is allowed

to access the data?

The law grants a right of access to the data collected. The data controller is required to provide not only the categories of data processed, but also the sources, the length of time it is kept for, the recipients of the data and any international transfer.
Based on the principles of data security, bank employees will be granted limited access to databases processing personal data. The principle is based on “need-to-know” and these measures must be regularly re-evaluated. (art. 8 FDPA)

Is consent

always necessary?

There are several legal grounds for collecting personal data. Consent is one of them, and defines the individual’s explicit agreement to share his or her data. In the banking sector, institutions are often required by law to collect personal data. There is thus no need to obtain consent for this information

In order to ensure data security, the bank may also rely on its legitimate interest to process data. This, for example, enables the bank to monitor the use of tools. The legitimate interest is justified if the measures remain proportionate

Can I retain

personal data for ever ?

Personal data is always linked to a purpose: managing an account, taking a decision on guarantees of irreproachable activity, assessing a credit application. When the purpose is no longer relevant, and there is no specific law requiring the data to be kept for an additional period of time, the data shall be deleted

Want to find out more about data protection?

Take our training course

Droit d’accès selon la loi de la protection des données

REGORA Training - 2024.06.05_Droit d accès selon la loi de la protection des données

5th June 2024
in-person event (Geneva)

This course is given in French



The new Federal Act on Data Protection (Art. 14) requires companies located abroad to appoint a Swiss Data Protection Representative

Financial institutions can also decide to appoint voluntarily a Data Protection Representative to offer its clients a first point of contact in Switzerland

  • Do you have clients in Switzerland and your company is based abroad?
  • Do you process their personal data?
  • You don’t have a registered office in Switzerland?
    • We act as the local, accessible point of contact for Swiss data subjects and for the FDPIC
    • We offer our local languages skills
    • We register before the FDPIC
    • We provide our deep knowledge in the Swiss legislation
    • We maintain your records of processing activities

Find out from us whether you need this solution to comply with Swiss legislation

Want to know more about Data Protection and Privacy?

Talk to our BRP experts


The International ESG regulation and regulatory landscape is evolving at an incredible pace. The regulatory approach followed in the various regions is still very heterogeneous and does not (yet) always focus on the same subjects/aspects, which makes it difficult to understand and implement

The possible diversity of ESG and the high level of complexity of the issues make it difficult to address in a relevant way from a regulatory point of view. Sustainable finance faces a huge challenge for its evolution: the absence (yet) of commonly recognised international standards





Climate change



Energy efficiency

Resource depletion




Human rights

Health and safety

Diversity, equity and inclusion (DEI)

Conflict zones and conflict minerals

Community engagement


Executive independence and structure

Conflicts of interest

Anti-money laundering and corruption

Responsible tax strategy

Stakeholder engagement

global standard

Recently (on 26 June 2023), the ISSB, an independent board established by the International Financial Reporting Standards (IFRS) Foundation, released its first global sustainability disclosure standards. The ISSB standards are built on the concepts that underpin the IFRS Accounting Standards, which are used by more than 140 jurisdictions 


for ESG implementation

  • For both listed companies and financial intermediaries, particular emphasis is placed on the need for greater transparency on sustainable criteria with regard to the public and investors
  • Financial services and products need to incorporate ESG (environmental, social and governance) criteria into their business and investment decisions
  • Financial service providers needs to integrate ESG preferences and ESG risks into investment advice and portfolio management
  • Among the key areas to be considered are the question of specific resources and their integration into management processes, information for target customers and employee training 
  • An effort to make the offers, processes and measures understandable for customers and regulators to avoid greenwashing

Want to know more about ESG?

Talk to our BRP experts

why cryptos?

In recent years, the sector of crypto-assets has experienced significant expansion, with tokens becoming increasingly integrated into global economies. The variety of crypto-assets is vast, ranging from well-known entities such as Bitcoin and Ethereum to a plethora of tokens that are being developed daily

Recent significant events, including the bankruptcy of FTX, have underscored the need for regulatory oversight in this rapidly growing sector. Recognizing the magnitude of this phenomenon, regulators and supervisors worldwide have begun to implement laws and regulations pertaining to the issuance and registration of crypto-assets. A prime example of this regulatory response is the European Union’s Markets in Crypto-Assets (MiCA) regulation

Consequently, businesses operating in this sector must familiarize themselves with the specific regulations of the countries in which they intend to offer their services and products. Furthermore, they must ensure they have the necessary resources to maintain compliance with these regulations


Classification of crypto-assets

qualify a crypto-asset in the correct class(es)










Determine whether the crypto-asset itself 

must be registered in order to be distributed to the public


Determine whether a crypto-service 

is subject to a licence

and under which conditions













What current banking and investment practices are

recognized (or tolerated) by the authorities?

Reverse solicitation


 Private placement rules

Want to know more about Cryptos?

Talk to our BRP experts