This page has an average rating of %r out of 5 stars based on a total of %t ratings
Reading Time 5 Minutes Reading Time 5 Minutes
Created on 01.12.2020

The new Federal Act on Data Protection: what’s happening?

The new Federal Act on Data Protection has been adopted. But what does this mean for PostFinance? The financial institution is pressing ahead with preparations for its implementation with a comprehensive framework project.

Data Compliance

What it’s all about: the data protection of the future

Digitization not only increases data volumes, but also the technological possibilities for analysing and processing existing data using Big Data, machine learning and artificial intelligence. The new Swiss Federal Act on Data Protection, which was adopted by the Swiss Parliament in autumn 2020, takes account of these developments. It replaces a law that dates back to 1992 — a time when the internet was still in its infancy. “The new Federal Act on Data Protection now applies wherever personal data is processed. For banks, whose business is data-driven and IT-managed, it will have an impact in many areas,” explains Jürg Frei, head of the framework project on data protection at PostFinance. Key elements of the new data protection legislation include:

  • Only data of natural persons will be protected
  • The obligation to provide information to data subjects will be more comprehensive
  • Additional data, such as genetic and biometric data with which a person can be uniquely identified, is considered particularly worthy of protection
  • Companies with 250 or more employees are obliged to keep records of their data processing
  • Data processing must be planned and implemented to ensure data protection regulations are complied with (Privacy by Design)
  • There is now a right to data portability: any person can demand the release of their personal data in a standard electronic format
  • Clear sanctions are defined

What solutions will the data protection of the future call for: the challenges

For PostFinance, careful handling of personal data is an obligation it has always fulfilled. While the financial institution has tended to work with solutions for specific issues in the past, the new Federal Act on Data Protection takes a holistic view. “Today, the data is no longer simply available in a separate data pool, but flows from application to application or is augmented where necessary. We’re taking this into account by adopting a holistic approach to the issue,” explains Jürg Frei. One step towards this is the creation and management of internal records, required by law, which ensure transparency internally and where all data processing is logged. This in turn forms the basis for drawing up a privacy policy that creates transparency for the outside world.

How PostFinance is preparing: a large-scale project on data protection for the future

PostFinance is preparing for the entry into force of the new Federal Act on Data Protection with a comprehensive data protection project and is defining and prioritizing appropriate implementation measures. According to Jürg Frei, a fundamental distinction must be made between the requirements of data protection and those of data security: data protection protects the right to privacy, especially in legal terms. However, this is not possible without data security. This defines how data is handled in organizations. Stephan Zimmermann, Head of Customer Security at PostFinance, the unit responsible for online security, card money security and anti-fraud, explains: “Data protection is all about transparency for customers. Not only do we have a duty to tell them what the data is collected and used for, but in certain cases they must also have the opportunity to consent to or reject the collection of data that’s not relevant to the business in question.” Data security is about defining how a company ensures data is secure over its entire life cycle — from collection to deletion. In doing so, it also ensures no unauthorized persons have access to the data.

What the new data protection law requires in specific terms — three examples

If PostFinance entrusts a third party
with the processing of personal data, the financial institution must, as in the past, ensure that data protection and data security are fulfilled to the same extent as for in-house processing. An example of this is a mass mailing campaign via a printing company. This can be governed by careful instructions and contractual provisions.  The new Swiss Federal Act on Data Protection now defines the duties of contractors and managers.
Telephone authentication
In the Contact Center, PostFinance uses the customer’s unique voice profile to clearly identify them. There is an obligation here to inform the customer in advance what the data will be used for. The customer also has the option of rejecting the use of voice recognition.
Privacy of design

When PostFinance develops new systems, they must be designed to comply with data protection regulations, which is now a legal requirement. If, for example, this is a system for initiating customer relationships, only data compatible with and necessary for processing purposes may be collected. This is called data minimization.  If further data is to be collected, it must be clear to the customer that this is additional information provided voluntarily, and is not mandatory. The term “privacy by default” is used here.  Customers must also be informed about the use of personal data. This will also affect the work of IT specialists.

Why the new data protection is important for everyone: raising awareness

A particularly important piece of the puzzle when it comes to implementing data protection is the employees. “Data protection must become part of our DNA,” stresses Jürg Frei. “Employees should understand the fundamentals of data protection, know what is allowed and what is not, and also recognize and report when a sensitive situation arises. This is actually similar to bank client confidentiality.” For this reason, PostFinance has launched a comprehensive communication campaign with explanatory videos in which relevant parts of the Federal Act on Data Protection are explained. In a further step, it also plans to roll out more in-depth training at appropriate levels.

What the new Federal Act on Data Protection will do: the impact

According to Jürg Frei, the new Federal Act on Data Protection will bring much greater transparency with regard to the processing of personal data. This contributes to customers’ understanding that the new technological possibilities can benefit them too. It is also up to PostFinance to highlight the added value. For instance, specific, customized offers could be made to the customer without them having to endure a torrent of advertising in future. Jürg Frei sees no danger that the new data protection law will fundamentally restrict the use of technologies, such as Big Data, artificial intelligence or machine learning. “We are simply entering an era when data is handled more consciously. The Federal Act on Data Protection does not prevent you from processing data. It only requires that this is done according to the standards — in other words, with the necessary transparency.” The importance that PostFinance attaches to data handling is highlighted by the scale of this framework project and the significance it has within the company.

This page has an average rating of %r out of 5 stars based on a total of %t ratings
You can rate this page from one to five stars. Five stars is the best rating.
Thank you for your rating
Rate this article

This might interest you too