SWITZERLAND Law and Practice Contributed by: Lukas Morscher, Lukas Staub and Jil Eichenberger, Lenz & Staehelin
• The Civil Law was amended to increase legal certainty for the transfer of DLT-based securi - ties. • Changes to the bankruptcy regime provided for the segregation of digital assets in bank - ruptcy proceedings. • A new authorisation category of a DLT trading facility which could offer trading, settlement and clearing services for digital assets was introduced. These changes, which took effect during 2021, improved market access for fintech companies involved in DLT and blockchain technologies by enhancing legal clarity and reducing regulatory barriers. 2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Swiss law does not include specific regulations for cloud or edge computing as it maintains a technology-neutral legislative approach. As such, general legal frameworks, including data protection laws, govern these services. Personal data must be safeguarded with appro - priate technical and organisational measures to prevent unauthorised processing, ensuring data security, availability and integrity, regardless of storage location. Using cloud services may con - stitute outsourced processing. If cloud servers are located abroad and personal data is not fully encrypted during transfer or storage, this is con - sidered an international data transfer. The Swiss Federal Data Protection and Information Com - missioner (the “FDPIC”) has issued non-binding guidelines outlining risks and data protection requirements for cloud use.
Professional secrecy obligations, such as bank - ing secrecy (the “Banking Act”), financial insti - tutions secrecy (the “Financial Institutions Act” or FinIA) and telecommunications secrecy (the “TCA”), apply in addition to the DPA (see 7.1 Legal Framework Challenges ). Sector-specific rules also exist for health-related data process - ing, including under the Federal Act on Research on Humans, the Federal Act on Human Genetic Testing and the Federal Ordinance on Health Insurance. Certain cloud service providers may also fall under the Federal Act on the Surveillance of Post and Telecommunications (the “SPTA”), which obliges them to facilitate surveillance measures during criminal investigations when ordered by authorities. In addition, the Federal Act on Information Secu - rity (the “ISecA”) and its implementing ordinanc - es entered into force on 1 January 2024. While the ISecA primarily focuses on government cybersecurity, a revision adopted on 29 Sep - tember 2023 will require critical infrastructure operators, including private parties, to report cyber-attacks to the National Cyber Security Centre within 24 hours. This obligation applies, inter alia, to Swiss-based providers of cloud ser - vices, data centres and certain software or hard - ware manufacturers as well as banks, insurers and hospitals. The new reporting obligation is expected to take effect in the first half of 2025. Cloud service contracts must clearly address compliance with relevant legal and contractual obligations, particularly data protection require - ments imposed on customers of cloud service providers. Sector-specific rules may apply, such as FINMA’s Circular 2018/3 (the “Outsourcing Circular”), which applies to most financial institu - tions subject to supervision by the FINMA (see 7
458 CHAMBERS.COM
Powered by FlippingBook