10 Confidentiality of client data, data security and data protection

For SZKB, the confidentiality of client data, bank client confidentiality, data security and data protection are of great importance. 

Switzerland has strict regulatory requirements in regard to data protection. 

Art. 13 of the Federal Constitution stipulates the basic principle that everyone has the right to respect for their private and family life, their residence and their correspondence, postal mail and telecommunications, and to protection against misuse of their personal information.

The Federal Data Protection Act (FADP), which has been in force since 1 July 1993, was passed in order to enshrine this protection in law. The corresponding regulation (VDSG) regulates the details.

Switzerland’s banking secrecy is a feature that sets it apart from other countries. Banking secrecy is enshrined in the Federal Act on Banks and Savings Banks (BankG) in Art. 47. 

The Head of Finance & Risk Management, who is a member of the Executive Board, has ultimate responsibility for the creation, implementation and compliance with the measures to ensure data protection and data security. 

The Compliance/Legal Services department is responsible for implementing data protection legislation. The Data Protection Officer evaluates the processing of personal information and recommends corrective action if they find that data protection regulations are being violated. The Data Protection Officer also maintains a list of data records. Finally, the Security Commission (SI-KOM), a body appointed by the Executive Board, drives management and control of security issues (such as information protection, physical security and data protection) at SZKB. 

SZKB operates an information security management system (ISMS) based on ISO 27001. SZKB also conducts internal and external audits on a regular basis to ensure high standards with regard to data security.

SZKB treats both the personal information entrusted to it by its clients and all personal information confidentially and according to the applicable statutory and regulatory requirements. The Bank will only disclose or forward personal information to third parties if permitted by law or necessary for the purpose of contract fulfilment. Personal information may also be provided to third parties with the express consent of the clients concerned.

In the event that client data is disclosed to a third party on the basis of a contractual obligation, the contractual partner shall also be obliged to comply with the provisions of data protection law as they would apply to SZKB. 

The Data Protection Officer maintains an inventory of the data records and updates it annually. The controller of a newly opened data record must report it to the Data Protection Officer if the data record has existed for more than six months. A new data record also exists if data is extracted from an existing data record and the resulting data record serves an independent purpose. 

Documentation and information obligations are latent risks for the Bank. Data in both physical and electronic form is to be archived in accordance with the law and, based on the right to be forgotten, destroyed in due course also in accordance with the law. Deletion or destruction of data thus must also be taken into account as part of the data life cycle. Each employee is responsible for performing the tasks and activities associated with storage and destruction of documents and data. 

Any person may request information from the controller of a data record as to whether data relating to them is being processed. All persons have the right to inspect any information about them that is being processed. Likewise, any person about whom information is processed may request rectification and/or deletion of their individual data items in accordance with the law. These personal rights of clients apply in principle in all business areas of SZKB and are set out transparently in the General Terms and Conditions as well as on the szkb.ch website under the headings of «Legal information» and «Privacy policy».

Personal and other sensitive information is protected by a multi-level security system. All non-public SZKB premises are protected by personal access controls. The Bank’s internal IT systems can only be accessed with the individual identifier of each employee and in conjunction with a personal password. This means that only SZKB employees or authorised representatives can access data, and each instance of access to data can be associated with a specific person. This multi-level security system is implemented according to the applicable regulations while taking the «need-to-know» principle into account. 

SZKB also expects suppliers and partners to implement comparable security mechanisms. Accordingly, these are also subject to regular audits.

SZKB launched a new application to manage user rights in 2022.

Appropriate technical and organisational measures are used to protect information against unauthorised processing. SZKB has implemented precautionary (proactive) measures to reduce the risk of data leaks and ensure the integrity of data storage and confidentiality to the greatest extent possible. SZKB has an emergency plan in order to appropriately respond to a data breach at any time. These proactive and reactive measures comply with the requirements of the Swiss Financial Market Supervisory Authority FINMA pursuant to Annex 3 FINMA Circular 2008/21 and FINMA Supervisory Notice 05/2020 in regard to the obligation to report cyber attacks pursuant to Art. 29 (2) FINMASA. 

SZKB has a very restrictive cloud policy and, for the time being, is refraining from widespread use of IT tools with cloud solutions. Exceptions to this rule are only possible in strict compliance with the requirements laid down by Swissbanking in the Cloud Guidelines and on the basis of legal requirements or with the consent of clients. It is not just organisational units such as Information Security and/or the Compliance function that continuously monitor whether data security is being ensured; data security is also taken into account when launching new tools in project and process management. SZKB backs up data regularly and tests the restore process at least annually.

All full-time and part-time employees of SZKB, as well as authorised representatives with access to SZKB’s IT systems, are required to complete annual online training courses on data and information security. SZKB regularly carries out measures for raising awareness, such as simulated phishing or smishing attacks on employees.

In 2022 (as in the previous year), clients, external parties and the supervisory authorities did not file any complaints regarding breaches of client data protection, and there was also no data theft or loss in conjunction with client data.

The confidentiality of client data, data security and data protection will continue to be a high priority at SZKB in future. Accordingly, the Bank continuously adapts measures to prevent data leaks, ensuring that information and data security are kept in line with the state-of-the-art and subjected to further improvements. In particular, SZKB will ensure that the provisions of the Swiss Data Protection Act, which will be tightened as of 1 September 2023, are also implemented and complied with.