datenrecht.ch

FAC (B‑5796/2014, 16.3.2016) – FINMA’s “gua­ran­tee of irre­proacha­ble busi­ness acti­vi­ty and pro­fes­sio­nal prac­ti­ce” data coll­ec­tion; legal basis; accuracy

[Decis­i­on over­tur­ned by the Fede­ral Supre­me Court; cf. the report at swiss­blawg]

Sin­ce 2009, FINMA has main­tai­ned the data coll­ec­tion “Gua­ran­tee for irre­proacha­ble busi­ness acti­vi­ty and pro­fes­sio­nal prac­ti­ce” with the pur­po­se of “auxi­lia­ry data coll­ec­tion for asses­sing whe­ther indi­vi­du­al natu­ral per­sons offer or would offer the gua­ran­tee requi­red by the super­vi­so­ry laws for cer­tain func­tions at super­vi­sed entities.”

A for­mer seni­or exe­cu­ti­ve of a bank that had serious­ly vio­la­ted Swiss finan­cial mar­ket law initi­al­ly reque­sted infor­ma­ti­on on his data in the afo­re­men­tio­ned data coll­ec­tion and later deman­ded that it be dele­ted and that no fur­ther pro­ce­s­sing of his data be car­ri­ed out. FINMA rejec­ted this request.

The BVGer con­firms this decis­i­on:

The­re is a legal basis (DSG 17 II) for kee­ping the data collection:

The requi­re­ment set out in Art. 17 (2) FADP, accor­ding to which the pro­ce­s­sing of per­so­nal data and per­so­na­li­ty pro­files requi­ring spe­cial pro­tec­tion must be enshri­ned in a law in the for­mal sen­se, is thus ful­fil­led. The pro­vi­si­on also con­ta­ins an expli­cit dele­ga­ti­on to regu­la­te fur­ther details. The complainant’s view that becau­se the legis­la­tor has express­ly men­tio­ned various other data coll­ec­tions in the rele­vant Finan­cial Mar­ket Act its­elf, this is requi­red for all data coll­ec­tions of the lower instance is obvious­ly base­l­ess in view of the clear wor­ding of this dele­ga­ti­on norm.

2.4.2 Based on Art. 23 para. 1 FINMASA, the lower instance issued the Data Ordi­nan­ce-FIN­MA, which in Art. 1 descri­bes its sub­ject mat­ter as follows:
“1 FINMA shall include in a data coll­ec­tion data on per­sons who­se gua­ran­tee of irre­proacha­ble busi­ness acti­vi­ty under the finan­cial mar­ket acts and FINMASA is doubtful or non-existent.
2 It shall main­tain the data coll­ec­tion to ensu­re that only per­sons who offer gua­ran­tees of irre­proacha­ble busi­ness activity:
a. are ent­ru­sted with the admi­ni­stra­ti­on or manage­ment of super­vi­sed enti­ties; or
b. have a signi­fi­cant inte­rest in the super­vi­sed entities.”

2.4.3 With regard to the pur­po­se of the data pro­ce­s­sing, it can be infer­red from Art. 23 para. 1 FINMASA that the lower instance pro­ce­s­ses per­so­nal data, inclu­ding data requi­ring spe­cial pro­tec­tion and per­so­na­li­ty pro­files, “within the frame­work of super­vi­si­on under this Act and the finan­cial mar­ket laws”.

The list pur­su­ant to Art. 3 of the FINMA Data Ordi­nan­ce is not exhaustive:

3.1 Artic­le 3 of the Data Ordi­nan­ce-FIN­MA con­ta­ins a list of data that must be inclu­ded in the data file. Accor­ding to this pro­vi­si­on, the data file con­ta­ins the fol­lo­wing data: […].
3.1.1 It is not clear from the wor­ding of this pro­vi­si­on whe­ther the list is to be under­s­tood as exhaus­ti­ve or not.

3.1.4 The inter­pre­ta­ti­on thus shows that the complainant’s view that only data express­ly listed in Art. 3 of the FINMA Data Ordi­nan­ce may be inclu­ded in the data file can­not be accept­ed. Rather, it must be assu­med that this list is not exhaus­ti­ve and that the lower instance is aut­ho­ri­zed to include in the data file all data that could with a cer­tain degree of pro­ba­bi­li­ty be rele­vant with regard to a future gua­ran­tee assessment.

The inclu­si­on of sus­pi­ci­ons that have not been legal­ly cla­ri­fi­ed does not vio­la­te the prin­ci­ple of correctness:

Base­line:

Accor­ding to Art. 5 para. 1 FADP, the per­son who pro­ce­s­ses per­so­nal data must ensu­re that it is cor­rect. The pro­ce­s­sing of inac­cu­ra­te per­so­nal data is only unlawful if its inac­cu­ra­cy is due to a lack of veri­fi­ca­ti­on by the pro­ces­sor. The duty to ascer­tain pur­su­ant to Art. 5 para. 1 FADP ent­ails that the fede­ral body respon­si­ble must veri­fy the accu­ra­cy of the per­so­nal data it pro­ce­s­ses. must review them ex offi­cio as soon as con­cre­te indi­ca­ti­ons of their incor­rect­ness are sub­mit­ted to it with a request for cor­rec­tion.. If it fails to com­ply with this obli­ga­ti­on or does so ina­de­qua­te­ly, the future pro­ce­s­sing of the data con­cer­ned beco­mes unlawful and thus gives rise to the right to injunc­ti­ve reli­ef and rec­ti­fi­ca­ti­on pur­su­ant to Art. 25 para. 1 let. a and para. 3 let. a FADP (cf. JAN BANGERT, in: Bas­ler Kom­men­tar DSG, loc. cit. 46 f. p. 471; Yvonne JÖHRI, in: Hand­kom­men­tar zum Daten­schutz­ge­setz, 2008, Art. 25 N. 12 ff. P. 588; BVGE 2013/30 E. 4.1; VPB 65.51). The Data Pro­tec­tion Act does not reco­gnize any actu­al obli­ga­ti­on to pro­cess only cor­rect data. The data pro­ces­sor is only obli­ged to ascer­tain the accu­ra­cy of the data he or she is pro­ce­s­sing. The ext­ent to which he must go in his cla­ri­fi­ca­ti­ons about the accu­ra­cy is to be exami­ned in each indi­vi­du­al case. In par­ti­cu­lar, the pur­po­se of the data coll­ec­tion, the ext­ent to which data is dis­c­lo­sed and its sen­si­ti­vi­ty are decisi­ve. […].

FINMA did not vio­la­te the­se principles:

4.2 The watch­list of the lower instance in que­sti­on ser­ves, as explai­ned, exclu­si­ve­ly the inter­nal know­ledge manage­ment of the aut­ho­ri­ty. It is a purely inter­nal data coll­ec­tion to which only a few employees of the lower instance have any access. In it, the lower instance coll­ects data which, with a cer­tain degree of pro­ba­bi­li­ty, could be rele­vant with regard to a future gua­ran­tee assess­ment. The very defi­ni­ti­on in Art. 1 of the Data Ordi­nan­ce-FIN­MA, accor­ding to which data is coll­ec­ted from “per­sons who­se gua­ran­tee of irre­proacha­ble busi­ness acti­vi­ty is doubtful or not given”, makes it clear that sus­pi­cious facts which have not yet been legal­ly cla­ri­fi­ed can also be docu­men­ted in the data collection.

The lower court recei­ved this docu­ment from Bank X. or its lawy­ers. Inter­nal inve­sti­ga­ti­ons of inter­na­tio­nal­ly acti­ve banks are typi­cal­ly not con­duc­ted by the bank its­elf, but by a law firm or an audi­ting com­pa­ny, which are inter­na­tio­nal­ly respec­ted for the qua­li­ty and inde­pen­dence of their such inve­sti­ga­ti­ons, in par­ti­cu­lar also by the rele­vant for­eign super­vi­so­ry aut­ho­ri­ties. If the lower instance has accept­ed docu­ments or minu­tes from such an inter­nal inve­sti­ga­ti­on for its data coll­ec­tion, it can­not be accu­sed of not having ful­fil­led its duty of veri­fi­ca­ti­on, at least as long as the­re are no con­cre­te indi­ca­ti­ons that would rai­se doubts as to the authen­ti­ci­ty or accu­ra­cy of the docu­ments in question.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be