Available in other languages: FR
The General Data Protection Regulation (GDPR) and the revised Swiss Data Protection Act (DPA) - Advice for Trustees based in Switzerland
Introduction
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. This new EU data protection regime will introduce new obligations on trustees as data controllers when processing the personal data of data subjects (such as settlors and beneficiaries). Furthermore, in the context of Switzerland, the GDPR will have extra-territorial applicability to the extent that if a non-EU (Swiss) business wishes to process the data of a data subject, they will have to play by the EU rules. Trust businesses in Switzerland falling within this category should therefore consider and review their procedures in order to comply with the GDPR.
Swiss trust companies and businesses will also need to comply with the revised Swiss Data Protection Act (DPA), which is being introduced at the end of 2018 or in early 2019. Broadly speaking, the DPA has been introduced to complement the GDPR and a draft of the DPA was published on 15 September 2017. It is likely that the DPA will take time to implement and as such, lawyers and practitioners will be closely watching the interplay between the two regimes. It is assumed at present that the same obligations for trustees that arise under the GDPR will similarly apply in respect of the DPA.
What is personal data and why is a trustee a data controller?
The GDPR defines personal data as any information relating to an identified or identifiable natural person (the “data subject”). A data controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of “processing” this includes, collecting, recording, organising, storing, retrieving, consulting, using, erasing or destroying the personal data. As such, trustees will be in almost all instances data controllers in relation to the information they gather, store and use about all persons linked to a trust (the data subjects) which includes not only the beneficiaries, but also the settlor, protector, appointer and any other connected persons of whom data is processed.
It is important to be aware that the GDPR is wide-reaching and its principles will apply in all cases where personal data is processed within a company or its group. Swiss trust companies that pass on personal data of data subjects to other departments or companies within their group need to be conscious of this and have appropriate measures in place.
Enforcement
The GDPR establishes a two-tiered system of penalties. Some infringements (for example for violations relating to internal record keeping) are subject to fines of up to EUR 10 million or 2% of global revenue. Others (such as breaches of the data protection principles) are subject to higher fines of up to EUR 20 million or 4% of global revenue. Under the DPA the maximum financial penalty is substantially lower than the GDPR at CHF 250,000.
Obligations of data controllers
Trustees must demonstrate compliance with the data protection regime as part of the overall principle of accountability. Some of the main obligations of the GDPR and DPA that trustees will need to comply with when processing clients’ data include:
- providing beneficiaries with information (privacy notices) about their personal data being processed, the reasons for such processing and the details of any recipients of that data (any requests from beneficiaries should be reasonable and trustees need only provide the personal data information that they possess concerning the beneficiary in question, nothing more);
- keeping an up-to-date record of all processing activities for which they are responsible;
- ensure data is processed securely and have appropriate systems in place that meet the standards imposed by the GDPR;
- ensure that any data processing which is delegated to a processor (for example, a law firm) is subject to a contract that satisfies GDPR requirements;
- notify personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) (the relevant Swiss supervisory authority) without undue delay;
- where a beneficiary has asked for data to be rectified or erased, notify those persons with whom personal data has previously been shared;
- implement policies to ensure data processing is performed in accordance with the GDPR;
- tell beneficiaries about personal data breaches if it is likely to result in a high risk to their rights and freedoms; and
- where personal data is transferred to a country outside the EEA or to an international organisation, ensure that the European Commission has confirmed that the recipient country has adequate level of protection or, if there is no confirmation, provide appropriate safeguards (such as the encryption of data).
Preparing for the GDPR
There are many steps that trustees should have already taken to prepare for the GDPR and unless they are prepared, it is unlikely that their current arrangements are GDPR-compliant. The full requirements of the GDPR (and its implications) will become clearer when the regulatory guidance and the DPA is finalised. Over the last year, trustees will have been reviewing their current arrangements and the data they hold, and establishing new processes.
GDPR compliance should not be considered a one-off exercise to ensure compliance from its enactment. Rather, the FDPIC will want to ensure that GDPR compliance is internalised and reflected in the way trustees carry out their activities on a pragmatic basis over time.
Some of the main action points trustees should be considering to ensure compliance include:
- decide which person in a trust company will deal with GDPR compliance; for example, nominate one of the trustees as the main point of contact for requests for information;
- conduct an audit and review all personal data currently held, including:
- where and how long it has been held for;
- reasons for the decision to keep the data for a specific time (for example, the length of the trust period);
- who it relates to;
- why it is being processed; and
- how it is kept secure.
- consider who the data is shared with (for example, with law firms when seeking advice);
- regularly assess progress (for example, by including GDPR compliance as a fixed item on the agenda at company meetings);
- consider how long the data should be kept for. The GDPR requires trustees to keep data for "no longer than is necessary for the purposes for which the personal data are processed …";
- update existing data protection policies to make them GDPR compliant. If no data protection policy exists, trustees should create one to satisfy their accountability obligations. The data protection policy should refer to:
- the timescale for complying with beneficiary information requests;
- how personal data is processed and stored; and
- the procedures and policies they have in place to comply with the GDPR.
- establish procedures to identify, record, and (if required) report, a data breach;
- carry out training for trustees. In particular, all individuals involved in processing should be able to identify when there has been a personal data breach and be aware how this should be dealt with;
- review insurance policies to see if they can be extended to cover liability for fines and compensation under the GDPR; and
- review policies on trustee indemnities on retirement to ensure that liabilities in relation to the GDPR are taken into account.
Examples: Trustees as data controllers
- The Swiss Trust Company XYZ has been appointed as the trustee of an endowment fund. Every year they receive grant applications from students who give their name, address and brief details of their studies as well as a personal statement in support of their application. The GDPR applies to the Swiss Trust Company XYZ as data controller in relation to the personal data they hold about the student applicants (past and present) who are data subjects. This is regardless of whether the data is contained in a computer system, on emails, or in a paper filing system.
- The Swiss Trust Company XYZ is trustee of the Pan Family Discretionary Trust. The settlor is Peter Pan who defined the discretionary class as the lineal descendants of his father and mother and their spouses. Peter has written a letter of wishes indicating that he would like his four children and their children to be the principal beneficiaries and that the other members of the discretionary class should only benefit if his children and grandchildren have all died. He does not envisage that any other beneficiaries will ever benefit. Rather than employing a genealogical researcher to track down all Peter's second cousins (who he believes are settled in Neverland), the trustees decide to limit their record keeping to Peter's immediate family. This complies with the purpose limitation and data minimisation principles of the GDPR. However, all of Peter’s children and grandchildren will be data subjects and the Swiss Trust Company XYZ will need to comply with the GDPR principles in respect to the holding and processing their data.
Seek advice
If you as a trustee are uncertain how the GDPR and DPA affect you and how you can ensure compliance now and in the future, we suggest contacting us to discuss bespoke solutions for your business which will be largely determined by your size, expertise and the location of your client base. Indeed, Charles Russell Speechlys SA is uniquely placed to provide integrated Swiss and EU legal advice to trustees, protectors and beneficiaries on the effects of the GDPR and the revised DPA.
For further information, please contact Grégoire Uldry on +41 (0)22 591 18 43 / Gregoire.Uldry@crsblaw.com or Olivier Cavadini on +41 (0)22 591 18 44 / Olivier.Cavadini@crsblaw.com.
Our thinking
Guy Bud
Hugh Gunson and Guy Bud write for the Tax Journal on the Court of Appeal’s recent judgment in Hoey
Hoey: you’d better PAYE up
Rebecca Burford
Charles Russell Speechlys acts for Maitland Medical Services Ltd on its acquisition of Soma Health Limited
We have advised Maitland Medical Services Ltd on its acquisition of Soma Health Limited.
Catrin Harrison
Dominic Lawrance and Catrin Harrison write for Tax Journal on the statutory residence test
The statutory residence test: an exceptionally useful case on ‘exceptional circumstances’
Rebecca Burford
7 top tips for Food and Beverage brands preparing for Private Equity investment
Planning and preparing for investment into your F&B business in advance of entertaining discussions will stand you in good stead.
Mark Howard
Charles Russell Speechlys advises Zenzero on the acquisition of OnTech
Zenzero is one of the fastest growing service providers in the UK, supporting over 10,000 users across a variety of industries.
Julia Cox
Mind your business: Safeguarding your business against loss of mental capacity
Practical considerations to safeguard your business against loss of mental capacity.
Jack Carter
Jack Carter writes for eprivateclient on the registration requirements for trust structures holding UK real estate
Trust structures holding UK real estate: Reporting requirements under the Register of Overseas Entities
Stephen Burns
PART 36— A move towards greater flexibility?
Discussing the possibility of the Part 36 regime opening up with recent developments.
Sarah Anticoni
FT Wealth quotes Sarah Anticoni on forum shopping
"Being the first to file for divorce is not a foolproof way of securing an English hearing"
Louise Ward
What can UK investors interested in Life Sciences learn from their more experienced, including US, counterparts?
The recent tie-up between Canary Wharf and Kadans demonstrates the enthusiasm to access the lucrative UK life sciences market.
Hanh Nguyen
The hurdles in establishing retrospective validation of post-petition dispositions
A discussion on the key takeaways from ICC Judge Barbers recent case ruling.
Helen Coward
Helen Coward writes for Tax Journal on the main purpose test for SDLT group relief
Mainly ignored? The main purpose test for SDLT group relief
Patricia Nathan-Amissah
The Ayes have it - Collateral Warranties can be a ‘Construction Contract’
The Court of Appeal handed down its judgment in the case of Abbey Healthcare (Mill Hill) Limited v Simply Construct (UK) LLP
Andrew Collins
Charles Russell Speechlys advises Caretech Holdings PLC on its proposed £870.3 million take private
Charles Russell Speechlys is advising the independent board of Caretech Holdings PLC, in its take private sale to Amalfi Bidco Limited.
Shivi Rajput
A guide to protecting non-matrimonial assets in divorce
Learn what you need to know about non-marital assets and how to protect them in a divorce.
Jonathan Morley
Charles Russell Speechlys advising Battery Ventures on the sale of SPT Labtech for £650 million.
Battery Ventures has raised over $9 billion to invest in software and services, enterprise infrastructure, and much more around the world.
Alexia Egger Castillo
Wealth Structuring Developments In Switzerland
Careful considerations need to be given when setting up wealth and estate structures and vesting funds in them.
Lisa Wong
New Legislation on Reciprocal Recognition and Enforcement of Judgements in Matrimonial and Family cases by the Courts Hong Kong and the Mainland
The implementation of the Ordinance offers better safeguards to the interests of parties to cross-border marriages.
Sarah Farrelly
Windrush Day 2022 – supporting access to justice
Charles Russell Speechlys is proud to continue supporting survivors of the Windrush scandal in their fight for justice.
Laura Bushaway
The Leasehold Reform (Ground Rent) Act 2022: Landlords and developers beware serious sanctions for non-compliance
The Leasehold Reform (Ground Rent) Act 2022 received Royal Assent on 8 February 2022 and will come into force on 30 June 2022.