This page has an average rating of %r out of 5 stars based on a total of %t ratings
Reading Time 5 Minutes Reading Time 5 Minutes
Created on 01.12.2020 | Updated on 21.05.2021

How PostFinance is preparing for the new Federal Act on Data Protection

In September 2020, the Swiss Parliament adopted the new Federal Act on Data Protection. The date on which it will come into effect has not yet been determined. PostFinance is making extensive preparations for the changes in requirements. Customers and visitors to the PostFinance website will be able to see the results of this on an ongoing basis over the coming months.

Data Compliance

What it’s all about: the data protection of the future

Digitization not only increases data volumes, but also the technological possibilities for analysing and processing existing data using Big Data, machine learning and artificial intelligence. The new Swiss Federal Act on Data Protection, which was adopted by the Swiss Parliament in autumn 2020, takes account of these developments. It replaces a law that dates back to 1992 — a time when the internet was still in its infancy. “The new Federal Act on Data Protection now applies wherever personal data is processed. For banks, whose business is data-driven and IT-managed, it will have an impact in many areas,” explains Jürg Frei, head of the framework project on data protection at PostFinance. Key elements of the new data protection legislation include:

  • The new Federal Act on Data Protection exclusively covers the protection of natural persons, bringing it into line with relevant international standards.
  • The obligation to provide information with regard to data subjects is being made much more comprehensive and includes the minimum information required.
  • Additional personal data, such as genetic and biometric data with which a person can be uniquely identified, is considered particularly sensitive
  • Companies with 250 or more employees are obliged to keep a record of their processing activities.
  • Processing of personal data must be planned and implemented in such a way that it can be carried out in compliance with data protection regulations from the outset (privacy by design).
  • There is now a right to data portability: individuals can request the release of their personal data in a common electronic format.
  • Clear sanctions are set out which stipulate the individual criminal liability of the responsible persons. It is assumed that it is primarily the management bodies, such as members of the Board of Directors or the Executive Board, that could be affected by this, and possibly also the data protection officer in the case of improper action.

What the data protection of the future involves: the challenges

For PostFinance, careful handling of personal data is an obligation it has always fulfilled. While the financial institution has tended to work with solutions for specific issues in the past, the new Federal Act on Data Protection takes a holistic view. "These days, data is no longer simply available in a separate easy-to-manage data pool, but flows from application to application, is augmented where necessary and is kept available for further processing. We’re taking this into account by adopting a holistic approach to the issue,” explains Jürg Frei. One step in this direction, according to Frei, is the creation and maintenance of the record of processing operations required by law, which must contain all processing of personal data. This internal transparency forms the basis, for example, for drawing up data privacy statements that ensure external transparency too.

How PostFinance is preparing: a large-scale project on data protection for the future

PostFinance is preparing for the entry into force of the new Federal Act on Data Protection with a comprehensive data protection project and is defining and prioritizing appropriate implementation measures. According to Jürg Frei, a fundamental distinction must be made between the requirements of data protection and those of data security: data protection protects the right to privacy, especially in legal terms. However, this is not possible without data security. This defines how data is handled in organizations. Stephan Zimmermann, Head of Customer Security at PostFinance, the unit responsible for online security, card money security and anti-fraud, explains: “Data protection is all about transparency for customers. Not only do we have a duty to tell them what the data is collected and used for, but in certain cases they must also have the opportunity to consent to or reject the collection of data that’s not relevant to the business in question.” Frei points out that data security is all about ensuring the confidentiality, integrity and availability of data throughout the entire data lifecycle, from collection to deletion. This includes ensuring that no unauthorized persons have access to the data, for example, or that the data is not lost if system issues arise. 

What the new data protection law requires in specific terms — three examples

If PostFinance entrusts a third party
Order processing, referred to as "outsourcing", has long been a topic of discussion amongst banks. With the processing of personal data, the financial institution must, as in the past, ensure that data protection and data security are fulfilled to the same extent as for in-house processing. An example of this is a mass mailing campaign via a printing company. This can be regulated by careful instructions and contractual provisions and supervised by the processor. The new Swiss Federal Act on Data Protection now defines the obligations of the controllers (customers) and processors (service providers). 
Telephone authentication
In the Contact Center, PostFinance uses the customer’s unique voice profile to clearly identify them. There is an obligation here to inform the customer in advance what the data will be used for. The customer also has the option of rejecting the use of voice recognition.
Privacy of design

When PostFinance develops new systems, they must be designed to comply with data protection regulations, which is now a legal requirement. If, for example, this is a system for initiating customer relationships, only data compatible with and necessary for processing purposes may be collected. This is called data minimization.  If further data is to be collected, it must be clear to the customer that this is additional information provided voluntarily, and is not mandatory. The term “privacy by default” is used here.  Customers must also be informed about the use of personal data. This will also affect the work of IT specialists.

Why the new data protection is important for everyone: raising awareness

A particularly important piece of the puzzle when it comes to implementing data protection is the employees. “Data protection must become part of our DNA,” stresses Jürg Frei. “Employees should understand the fundamentals of data protection, know what is allowed and what is not, and also recognize and report when a sensitive situation arises. This is actually similar to bank client confidentiality.” For this reason, PostFinance has launched a comprehensive communication campaign with explanatory videos in which relevant parts of the Federal Act on Data Protection are explained. In a further step, it also plans to roll out more in-depth training at appropriate levels.

What the new Federal Act on Data Protection will do: the impact

According to Jürg Frei, the new Federal Act on Data Protection will bring much greater transparency with regard to the processing of personal data. This contributes to customers’ understanding that the new technological possibilities can benefit them too. It is also up to PostFinance to highlight the added value. For instance, specific, customized offers could be made to the customer without them having to endure a torrent of advertising in future. Jürg Frei sees no danger that the new data protection law will fundamentally restrict the use of technologies, such as Big Data, artificial intelligence or machine learning. “We are simply entering an era when data is handled more consciously. The Federal Act on Data Protection does not prevent personal data from being processed. It only requires that this is done according to the standards — in other words, with the necessary transparency and due diligence.” The importance that PostFinance attaches to data handling is highlighted by the scale of this framework project and the significance it has within the company.

This page has an average rating of %r out of 5 stars based on a total of %t ratings
You can rate this page from one to five stars. Five stars is the best rating.
Thank you for your rating
Rate this article

This might interest you too