I’d like to highlight an excerpt of the answer of the FINMA, about application of the GDPR and data protection laws to institutions bound to FINMA legal provisions. Some insurances and banks (as well as institutions which are subject to FINMA), due to the fact they must fulfill FINMA legal provisions, mistakenly consider them exempted on being somehow compliant against GDPR, or think that, unless FINMA doesn’t inform them to do something in that direction, they aren’t obliged to undertake the path to GDPR’ compliance, or they are (partially or completely) relieved. This is completely wrong, and could lead to dangerous behaviors in future. FINMA states that you have to assess which regulations applies to you, and comply with all relevant’ ones. So if you are an institution bound to FINMA legal provisions, but at the same time fall within the GDPR scope, you shall adhere against it too, taking obviously in consideration application and compliance to the Swiss legislation and any other law which might apply.
We recommend such institutions getting in touch with your respective legal services, auditors, and consultancy firms and verify which regulation applies, in regard to GDPR and any other data protection law (such the current Swiss DPA, also keeping two eyes open on the forthcoming amended’one, still to be approved by Swiss Parliament). And if doubts still remains, last but not least, you can always contact your Key Account Manager at FINMA (as last).
Herewith the copy of an excerpt of the answer by FINMA:
FINMA, respectively the laws on which it operates, has a principle-based regulatory approach meaning that instead of detailed rule based regulation there rather is an overarching legal provision. For example, it can be stated that for supervised institution to ensure a proper business conduct (Gewähr / garantie d’une activité irréprochable / dell’irreprensibilità la quale deve essere garantita ), compliance with all laws and regulation has to be ensured. So no detailed guidance is given on how financial market legislation interacts with data protection laws. The requirement is that a subordinated institution analyses forthcoming legislation and takes the necessary measures to adhere to it and manages the associates risks.
In case you need tailored consultancy about data protection, cyber assessment, cyber insurance, or do you wish to assess your readiness against GDPR and the Swiss DPA, feel free to contact us.
Nymphaea Group Sagl