obligations for client data are relevant for banks, securities firms, asset managers, trustees, mangers of collective assets, fund management companies and financial market infrastructures (e.g. trading venues, payment systems or central security depositories). For these regulated entities, the Swiss Financial Market Supervisory Authority (FINMA) lays down rules for handling critical data, a term which entails personal data. Thus, a DPO of a regulated entity in the financial market needs to consider not only the FADP, but also the respective regulatory framework, when advising their business. FINMA will also regularly audit regulated entities regarding their data protection and general information management framework. Consequently, it can be very challenging for a DPO to consider not only the relevant data protection laws, but also any regulation concerning the handling of data. Finally, as in many industries, outsourcing is very important topic for any DPO in the financial market. However, due the various regulations, outsourcing can be a bothersome and complex process, particularly if FINMA has to be involved. How does the addition of international data transference further complicate these duties? The EU commission has decided that Switzerland has an adequate level of data protection regarding the GDPR and vice versa. Thus, data transfer between the EU/EEA and Switzerland is usually uncomplicated. However, when transferring personal in countries without an adequate level of data protection, it can be difficult for the DPO to advise on any necessary additional technical or organizational measures that will need to be taken. Furthermore, the professional secrecy obligation can complicate such international data transfers even more. Conservative Swiss scholars seem to be still of the opinion that personal data covered by the professional secrecy obligation may not be transferred outside Switzerland without the consent of the clients. However, lately, an argument has emerged that such data may be transferred outside of Switzerland without the explicit consent of the client, provided that the security of the data is ensured. What can external legal counsel offer a DPO that they might be unable to achieve on their own? Given that a DPO is involved in various internal operational processes within a company, such as data subject requests or privacy impact assessments, and usually lacks the time and resources for in-depth legal research, an external counsel can support a DPO with the latest know-how. 64 LAWYER MONTHLY APRIL 2023
RkJQdWJsaXNoZXIy Mjk3Mzkz