Available in other languages: français
Available in other languages: FR
The General Data Protection Regulation (GDPR) and the revised Swiss Data Protection Act (DPA) - Advice for Trustees based in Switzerland
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. This new EU data protection regime will introduce new obligations on trustees as data controllers when processing the personal data of data subjects (such as settlors and beneficiaries). Furthermore, in the context of Switzerland, the GDPR will have extra-territorial applicability to the extent that if a non-EU (Swiss) business wishes to process the data of a data subject, they will have to play by the EU rules. Trust businesses in Switzerland falling within this category should therefore consider and review their procedures in order to comply with the GDPR.
Swiss trust companies and businesses will also need to comply with the revised Swiss Data Protection Act (DPA), which is being introduced at the end of 2018 or in early 2019. Broadly speaking, the DPA has been introduced to complement the GDPR and a draft of the DPA was published on 15 September 2017. It is likely that the DPA will take time to implement and as such, lawyers and practitioners will be closely watching the interplay between the two regimes. It is assumed at present that the same obligations for trustees that arise under the GDPR will similarly apply in respect of the DPA.
What is personal data and why is a trustee a data controller?
The GDPR defines personal data as any information relating to an identified or identifiable natural person (the “data subject”). A data controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of “processing” this includes, collecting, recording, organising, storing, retrieving, consulting, using, erasing or destroying the personal data. As such, trustees will be in almost all instances data controllers in relation to the information they gather, store and use about all persons linked to a trust (the data subjects) which includes not only the beneficiaries, but also the settlor, protector, appointer and any other connected persons of whom data is processed.
It is important to be aware that the GDPR is wide-reaching and its principles will apply in all cases where personal data is processed within a company or its group. Swiss trust companies that pass on personal data of data subjects to other departments or companies within their group need to be conscious of this and have appropriate measures in place.
The GDPR establishes a two-tiered system of penalties. Some infringements (for example for violations relating to internal record keeping) are subject to fines of up to EUR 10 million or 2% of global revenue. Others (such as breaches of the data protection principles) are subject to higher fines of up to EUR 20 million or 4% of global revenue. Under the DPA the maximum financial penalty is substantially lower than the GDPR at CHF 250,000.
Obligations of data controllers
Trustees must demonstrate compliance with the data protection regime as part of the overall principle of accountability. Some of the main obligations of the GDPR and DPA that trustees will need to comply with when processing clients’ data include:
- providing beneficiaries with information (privacy notices) about their personal data being processed, the reasons for such processing and the details of any recipients of that data (any requests from beneficiaries should be reasonable and trustees need only provide the personal data information that they possess concerning the beneficiary in question, nothing more);
- keeping an up-to-date record of all processing activities for which they are responsible;
- ensure data is processed securely and have appropriate systems in place that meet the standards imposed by the GDPR;
- ensure that any data processing which is delegated to a processor (for example, a law firm) is subject to a contract that satisfies GDPR requirements;
- notify personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) (the relevant Swiss supervisory authority) without undue delay;
- where a beneficiary has asked for data to be rectified or erased, notify those persons with whom personal data has previously been shared;
- implement policies to ensure data processing is performed in accordance with the GDPR;
- tell beneficiaries about personal data breaches if it is likely to result in a high risk to their rights and freedoms; and
- where personal data is transferred to a country outside the EEA or to an international organisation, ensure that the European Commission has confirmed that the recipient country has adequate level of protection or, if there is no confirmation, provide appropriate safeguards (such as the encryption of data).
Preparing for the GDPR
There are many steps that trustees should have already taken to prepare for the GDPR and unless they are prepared, it is unlikely that their current arrangements are GDPR-compliant. The full requirements of the GDPR (and its implications) will become clearer when the regulatory guidance and the DPA is finalised. Over the last year, trustees will have been reviewing their current arrangements and the data they hold, and establishing new processes.
GDPR compliance should not be considered a one-off exercise to ensure compliance from its enactment. Rather, the FDPIC will want to ensure that GDPR compliance is internalised and reflected in the way trustees carry out their activities on a pragmatic basis over time.
Some of the main action points trustees should be considering to ensure compliance include:
- decide which person in a trust company will deal with GDPR compliance; for example, nominate one of the trustees as the main point of contact for requests for information;
- conduct an audit and review all personal data currently held, including:
- where and how long it has been held for;
- reasons for the decision to keep the data for a specific time (for example, the length of the trust period);
- who it relates to;
- why it is being processed; and
- how it is kept secure.
- consider who the data is shared with (for example, with law firms when seeking advice);
- regularly assess progress (for example, by including GDPR compliance as a fixed item on the agenda at company meetings);
- consider how long the data should be kept for. The GDPR requires trustees to keep data for "no longer than is necessary for the purposes for which the personal data are processed …";
- update existing data protection policies to make them GDPR compliant. If no data protection policy exists, trustees should create one to satisfy their accountability obligations. The data protection policy should refer to:
- the timescale for complying with beneficiary information requests;
- how personal data is processed and stored; and
- the procedures and policies they have in place to comply with the GDPR.
- establish procedures to identify, record, and (if required) report, a data breach;
- carry out training for trustees. In particular, all individuals involved in processing should be able to identify when there has been a personal data breach and be aware how this should be dealt with;
- review insurance policies to see if they can be extended to cover liability for fines and compensation under the GDPR; and
- review policies on trustee indemnities on retirement to ensure that liabilities in relation to the GDPR are taken into account.
Examples: Trustees as data controllers
- The Swiss Trust Company XYZ has been appointed as the trustee of an endowment fund. Every year they receive grant applications from students who give their name, address and brief details of their studies as well as a personal statement in support of their application. The GDPR applies to the Swiss Trust Company XYZ as data controller in relation to the personal data they hold about the student applicants (past and present) who are data subjects. This is regardless of whether the data is contained in a computer system, on emails, or in a paper filing system.
- The Swiss Trust Company XYZ is trustee of the Pan Family Discretionary Trust. The settlor is Peter Pan who defined the discretionary class as the lineal descendants of his father and mother and their spouses. Peter has written a letter of wishes indicating that he would like his four children and their children to be the principal beneficiaries and that the other members of the discretionary class should only benefit if his children and grandchildren have all died. He does not envisage that any other beneficiaries will ever benefit. Rather than employing a genealogical researcher to track down all Peter's second cousins (who he believes are settled in Neverland), the trustees decide to limit their record keeping to Peter's immediate family. This complies with the purpose limitation and data minimisation principles of the GDPR. However, all of Peter’s children and grandchildren will be data subjects and the Swiss Trust Company XYZ will need to comply with the GDPR principles in respect to the holding and processing their data.
If you as a trustee are uncertain how the GDPR and DPA affect you and how you can ensure compliance now and in the future, we suggest contacting us to discuss bespoke solutions for your business which will be largely determined by your size, expertise and the location of your client base. Indeed, Charles Russell Speechlys SA is uniquely placed to provide integrated Swiss and EU legal advice to trustees, protectors and beneficiaries on the effects of the GDPR and the revised DPA.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
The Lawyer, New Law Journal, International Adviser, CDR Magazine and eprivateclient report on the firm's partner promotions
Charles Russell Speechlys promoted five lawyers to partner, effective 1 May 2021.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
eprivateclient and Citywealth report on the hire of a new international tax team led by Robert Reymond
The firm strengthened its international wealth structuring capabilities with the hire of an international tax team led by Robert Reymond.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
The Lugano convention – the journey continues
The UK’s departure from the European Union has had the effect of leaving the UK outside of the Lugano Convention of 2007.