SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
carry out investigations into data processing by private bodies. In addition, each canton has its own data protection authority, which is generally competent to supervise cantonal and communal bodies (but not private parties, which are subject to the FDPIC’s authority). Other regulators, such as FINMA, may play a role in the enforcement of data protection (see the following). It is also worth mentioning here that the key offi - cial actor in the cybersecurity area in Switzerland is the NCSC, which is now integrated into the new Federal Office for Cyber Security ( Bunde - samt für Cybersicherheit BACS) within the Fed - eral Department of Defence, Civil Protection and Sports (DDPS). Indeed, in an effort to centralise the administrative activities in this area, other actors such as the Reporting and Analysis Cen - tre for Information Assurance (MELANI), GovCert and the Cybercrime Coordination Unit (CYCO) became an integral part of the NCSC and now BACS. Tasks include raising public awareness, receiving reports on cyber-incidents and sup - porting operators of critical infrastructures in managing these incidents. Protection of the federal administration against cyber-attacks is now a key task of a new specialist unit within the new State Secretariat for Security Policy (Sepos), also within the DDPS. 1.3 Enforcement Proceedings and Fines The FDPIC has the right to carry out investiga - tions and has direct enforcement powers, includ - ing the right to direct the controller to change, suspend or cease processing activities. In the course of an investigation, the FDPIC has the right to demand the production of documents, make inquiries and ask for a demonstration of a particular type of processing of personal data. Binding orders by the FDPIC may be published, stating the name of the investigated party (“naming and shaming”). Failure to comply
with a binding order may, if referred to criminal prosecution, incur a criminal fine against the responsible individuals of up to CHF250,000. Such fines can also be levied by the criminal courts against the responsible individual(s) in cases of non-compliance with minimum legal data security requirements, though it is doubtful whether the legislator has indeed provided for such minimum requirements. Most data security regulations under the FADP and DPO are very general in nature or focus on accountability, rath - er than security, except maybe for the obligation to ensure that certain higher-risk data operations are logged, as noted in the foregoing. The FDPIC’s increased (compared to the prior version of the FADP) powers and the more dis - suasive criminal sanctions are seen as one of the most significant novel aspects of Swiss data protection legislation. Any investigation by the FDPIC is subject to the Federal Act on Administrative Procedure (APA), which provides for due process rights for the investigated party and third parties – for exam - ple, rights to refuse to testify. The procedure before the Federal Supreme Court is regulated by the Federal Act on the Supreme Court. In the banking and financial markets sector, the regulator, FINMA, supervises the relevant actors (namely banks, insurance companies, financial institutions, collective investment schemes and fund management companies) and plays a role in the cybersecurity realm. Indeed, given the importance of the financial industry in Switzer - land, data security and cybersecurity are core concerns. FINMA publishes an annual risk moni - tor as an overview of risks seen as particularly significant, and the 2024 version highlights that cyber-risks remain one of the biggest operation - al risks and notes a growing number of cyber-
420 CHAMBERS.COM
Powered by FlippingBook