Cloud Compliance Center

Switzerland

Select a Topic
Quick Links
Start Comparison

SWITZERLAND

This content was last reviewed around November 2023.

Cloud-friendly

1. Are financial institutions legally permitted to use cloud services?

Yes, if the institution meets all the applicable legal requirements for the use of cloud services.

2. Are there any rules which apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes, the following laws must be observed:

  • Federal Act on Data Protection (SR 235.1) and the Ordinance to the Federal Act on Data Protection
  • Banking Act (SR 235.11)
  • Federal Act on Financial Institutions (SR 954.1 "FinIA")
  •  Insurance Supervision Act (SR 961.01)

The Swiss Financial Market Supervisory Authority ("FINMA") has set out the rules regarding outsourcing in the two circulars below:

  •  Circular 2018/3 Outsourcing — banks, insurance companies and selected financial institutions under FinIA
  • Circular 2008/21 Operational risks at banks (This circular is currently being revised and replaced by the new FINMA Circular 2023/1 Operational risks and resilience — banks, scheduled to enter into force on 1 January 2024.)

Draft Circular 2023/1 Operational risks and resilience — banks, focuses on the supervisory practice with regard to the management of operational risks in connection with information and communication technology, including the handling of critical data and cyber risks. 

3. Are there any specific contractual requirements for cloud outsourcing?

The provisions set out below must be incorporated into the outsourcing agreement to make sure that any outsourcing complies with relevant outsourcing rules. 

A written outsourcing agreement or an agreement in a form demonstratable via text must be signed. In addition to naming the parties and describing the outsourced function, this agreement must also perform the following:

  • It must provide for the use or replacement of subcontractors for significant functions at an early stage and allow for the possibility of terminating the outsourcing in an orderly manner.
  • Subcontractors must be bound by the same obligations and guarantees as the cloud service provider.
  • The cloud service provider must offer a guarantee of permanent service provision. 
  • Provisions must be made for insourcing the outsourced function or transferring it to another cloud service provider in an orderly manner.
  • The duties must be contractually agreed.
  • Rights to monitor, instruct and control must be granted to effectively address risk arising from the outsourcing.
  • Security requirements must be contractually agreed.
  • An audit firm and the Swiss Financial Market Supervisory Authority ("FINMA") must be able to verify the cloud service provider's compliance with supervisory regulations. They must have the contractual right to inspect and audit all information deemed relevant for the outsourced function at any time without restriction.
  • If the cloud service provider is not supervised by FINMA, there must be a contractual obligation to provide FINMA with all the information and documentation concerning the outsourced functions, which are necessary for FINMA's supervisory activities.
4. When does cloud outsourcing fall within the scope of the rules?

Outsourcing falls within the meaning of the Swiss Financial Market Supervisory Authority Circular 2018/3, when an institution mandates a cloud service provider to perform all or part of a function that is significant to the company's business activities independently and on an ongoing basis. Such significant functions include the following:

  • Data storage, if data storage is the function to be outsourced and the information stored are relevant for supervised activities.
  • Operation and maintenance of databases.
  • Operation of information technology systems.
5. Does the outsourcing need to be notified to the regulator?

Under the revised Federal Act on Data Protection, in a case where customer data is going to be transferred to a country that does not provide an appropriate level of data protection from a Swiss law perspective and where protection is ensured by using contractual clauses that are approved, issued or recognized by the Swiss Data Protection and Information Commissioner ("FDPIC"), notification to the FDPIC is no longer necessary for the transfer of data to other countries.

There is generally no need to inform or notify the Swiss Financial Market Supervisory Authority ("FINMA") in advance of any contemplated outsourcing. However, in exceptional circumstances, informing the FINMA may be required given the general obligation of a regulated entity to report any issues of substantial importance to the FINMA's supervision.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Under Swiss criminal law, a violation of relevant local rules on outsourcing primarily leads to criminal liability for the violation of the secrecy obligation (Article 47 of the Banking Act, Article 69 of the Act on Financial Institutions and Article 35 of the Revised Federal Act on Data Protection). Additionally, a violation of the rules on outsourcing may lead to administrative measures with a punitive character. In certain circumstances — and not only in case of a breach of outsourcing rules but generally in the course of outsourcing — the following additional consequences under criminal law could be relevant:

  • Article 271 of the Swiss Criminal Code. If the cloud service provider is required to disclose data (e.g., as a result of a legal obligation imposed by a foreign government), such disclosure, if it occurs outside of an official Swiss legal or administrative assistance procedure, might incur sanctions under this article.
  • Article 273 of the Swiss Criminal Code. This article makes it an offense for a person to disclose a manufacturing or trade secret to a foreign official agency, a foreign organization, a foreign private enterprise or the agents of the same. 

Noncompliance with financial markets regulations may also lead to administrative measures being taken by the Swiss Financial Market Supervisory Authority against relevant supervised entities and their officers and executives. Additionally, violation or noncompliance could lead to civil law claims due to an infringement of personality rights. It might also trigger claims under contract law should the noncompliance/violation also breach any contractual agreement.

7. Are there any data privacy and/or data security laws that would apply?

Yes, the cloud service provider is only entitled to process the data in the same matter as the entity outsourcing the data processing (Article 10a of the Federal Act on Data Protection ("FADP") and Article 9 of the Revised Federal Act on Data Protection ("revFADP")). The cloud service provider must ensure appropriate data security (Article 7 of the FADP and Article 8 of the revFADP). Personal data must generally not be transferred or made available in jurisdictions that do not provide for an appropriate level of data protection from a Swiss law perspective without sufficient safeguards being put in place (Article 6 of the FADP and Articles 16 and 17 of the revFADP).

8. Are there any restrictions under local data protection laws which would impact the overseas hosting of data?

Yes. If data is transferred to a jurisdiction that does not provide for an appropriate level of data protection from a Swiss law perspective, the cloud service provider will have to ensure that Swiss data protection standards are adhered to by, for example, concluding an EU model clause agreement, including relevant Swiss amendments, with the cloud service provider.

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No. 

10. Are express consents from customers or other data subjects required before moving data to the cloud?

No, however, restrictions could arise either from the contractual agreement between the financial institution and the customer/data subject or on the basis of the customer's justified expectations arising from specific circumstances.

11. Are there any local laws which require a cloud service provider to be able to access the data it hosts?

No.

12. Are there any local laws which would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. In civil proceedings, the cloud service provider may be required by the courts to disclose certain information even if it is not party to the proceedings (Article 160 of the Civil Procedure Code, SR 272).

In public law (administrative) proceedings initiated by the Swiss Financial Market Supervisory Authority under its supervisory rights, a request may be made to the cloud service provider to provide information (Article 29 of the Financial Market Supervision Act, SR 956.1). 

In criminal law proceedings, the cloud service provider may be required by the authorities to disclose information (Article 246 of the Criminal Procedure Code, SR 312).

In the course of mutual assistance in criminal matters, cloud service providers may be required to disclose certain information. On request, documents, data or assets seized as evidence for the purpose of forfeiture as well as records and decisions will be made available to the competent foreign authority after conclusion of the mutual assistance proceedings (Article 74 et. seq. of the Mutual Assistance Act, SR 351).

Under data protection laws, the data subjects have no right of disclosure over their data vis-à-vis the cloud service provider but only vis-à-vis the bank that is the data controller.

Quick Links
{{ $store.state.loadingScreen.message }} ...