[Decision overturned by the Federal Supreme Court; cf. the report at swissblawg]
Since 2009, FINMA has maintained the data collection “Guarantee for irreproachable business activity and professional practice” with the purpose of “auxiliary data collection for assessing whether individual natural persons offer or would offer the guarantee required by the supervisory laws for certain functions at supervised entities.”
A former senior executive of a bank that had seriously violated Swiss financial market law initially requested information on his data in the aforementioned data collection and later demanded that it be deleted and that no further processing of his data be carried out. FINMA rejected this request.
The BVGer confirms this decision:
There is a legal basis (DSG 17 II) for keeping the data collection:
The requirement set out in Art. 17 (2) FADP, according to which the processing of personal data and personality profiles requiring special protection must be enshrined in a law in the formal sense, is thus fulfilled. The provision also contains an explicit delegation to regulate further details. The complainant’s view that because the legislator has expressly mentioned various other data collections in the relevant Financial Market Act itself, this is required for all data collections of the lower instance is obviously baseless in view of the clear wording of this delegation norm.
2.4.2 Based on Art. 23 para. 1 FINMASA, the lower instance issued the Data Ordinance-FINMA, which in Art. 1 describes its subject matter as follows:
“1 FINMA shall include in a data collection data on persons whose guarantee of irreproachable business activity under the financial market acts and FINMASA is doubtful or non-existent.
2 It shall maintain the data collection to ensure that only persons who offer guarantees of irreproachable business activity:
a. are entrusted with the administration or management of supervised entities; or
b. have a significant interest in the supervised entities.”2.4.3 With regard to the purpose of the data processing, it can be inferred from Art. 23 para. 1 FINMASA that the lower instance processes personal data, including data requiring special protection and personality profiles, “within the framework of supervision under this Act and the financial market laws”.
The list pursuant to Art. 3 of the FINMA Data Ordinance is not exhaustive:
3.1 Article 3 of the Data Ordinance-FINMA contains a list of data that must be included in the data file. According to this provision, the data file contains the following data: […].
3.1.1 It is not clear from the wording of this provision whether the list is to be understood as exhaustive or not.
3.1.4 The interpretation thus shows that the complainant’s view that only data expressly listed in Art. 3 of the FINMA Data Ordinance may be included in the data file cannot be accepted. Rather, it must be assumed that this list is not exhaustive and that the lower instance is authorized to include in the data file all data that could with a certain degree of probability be relevant with regard to a future guarantee assessment.
The inclusion of suspicions that have not been legally clarified does not violate the principle of correctness:
Baseline:
According to Art. 5 para. 1 FADP, the person who processes personal data must ensure that it is correct. The processing of inaccurate personal data is only unlawful if its inaccuracy is due to a lack of verification by the processor. The duty to ascertain pursuant to Art. 5 para. 1 FADP entails that the federal body responsible must verify the accuracy of the personal data it processes. must review them ex officio as soon as concrete indications of their incorrectness are submitted to it with a request for correction.. If it fails to comply with this obligation or does so inadequately, the future processing of the data concerned becomes unlawful and thus gives rise to the right to injunctive relief and rectification pursuant to Art. 25 para. 1 let. a and para. 3 let. a FADP (cf. JAN BANGERT, in: Basler Kommentar DSG, loc. cit. 46 f. p. 471; Yvonne JÖHRI, in: Handkommentar zum Datenschutzgesetz, 2008, Art. 25 N. 12 ff. P. 588; BVGE 2013/30 E. 4.1; VPB 65.51). The Data Protection Act does not recognize any actual obligation to process only correct data. The data processor is only obliged to ascertain the accuracy of the data he or she is processing. The extent to which he must go in his clarifications about the accuracy is to be examined in each individual case. In particular, the purpose of the data collection, the extent to which data is disclosed and its sensitivity are decisive. […].
FINMA did not violate these principles:
4.2 The watchlist of the lower instance in question serves, as explained, exclusively the internal knowledge management of the authority. It is a purely internal data collection to which only a few employees of the lower instance have any access. In it, the lower instance collects data which, with a certain degree of probability, could be relevant with regard to a future guarantee assessment. The very definition in Art. 1 of the Data Ordinance-FINMA, according to which data is collected from “persons whose guarantee of irreproachable business activity is doubtful or not given”, makes it clear that suspicious facts which have not yet been legally clarified can also be documented in the data collection.
The lower court received this document from Bank X. or its lawyers. Internal investigations of internationally active banks are typically not conducted by the bank itself, but by a law firm or an auditing company, which are internationally respected for the quality and independence of their such investigations, in particular also by the relevant foreign supervisory authorities. If the lower instance has accepted documents or minutes from such an internal investigation for its data collection, it cannot be accused of not having fulfilled its duty of verification, at least as long as there are no concrete indications that would raise doubts as to the authenticity or accuracy of the documents in question.