The FDPIC has published information on his website at FAQ → Insurance companies on the question of whether a service company to which a pension fund transfers part or all of its assets should be allowed to provide services. transferred to the operating business is a data processor or a data controller.
The data protection role of the managing director of a pension fund – this can be a pension fund, an investment foundation or a vested benefits foundation – has been the subject of long and intensive debate:
- The Swiss Pension Fund Association ASIP had taken the view in technical communication no. 131 “Guidance on the implementation of the new DPA” dated October 20, 2022 that “[h]ad the CA outsourced its administration to a third party, the data processing is carried out by the administration (as processor) on behalf of the CA”.
- Probably because of this statement, certain Service providers in the market also take the view that they always and necessarily act as processors when managing pension funds.
- However, it is generally recognized that not all service providers are also processors The decisive factor is whether they actually decide on the purposes and means of processing or whether they are not given this freedom. At least in the case of comprehensive outsourcing of management, it is difficult to justify not leaving the framework of order processing. For this reason, the predominant view was probably to classify the managing directors of CEs not as order processors as a rule, but as – solely or jointly – controllers (we have taken this view, as have, for example, the German Federal Data Protection Authority). David Rosenthal).
In the Activity report 2023/2024 then recorded,
In practice, pension funds sometimes transfer part or all of their business operations to an external company. Such service companies act on behalf of the employee benefits institution and act as Order data processor within the meaning of Art. 9 FADP.
In the information published on December 11, 2024, the FDPIC rightly differentiates as follows:
Pension funds, which are generally organized as foundations, are obliged to provide mandatory occupational pension insurance. In practice, pension funds sometimes transfer part or all of their business operations to an external company. In terms of their role and qualification under data protection law, such service companies can Depending on the constellation, either as a processor or as a controller occur.
For cases in which only certain operational activities and the employee benefits institution remains significantly involved in the process, the form of the Order processing be applicable. In constellations in which the transfer is more comprehensive and affects not only individual operations or data processing, but also the autonomous fulfillment of occupational pension tasks, the Service company a responsible person represent. This is particularly the case if the service company takes over the management of the pension fund or actually decides with greater autonomy. The service company can also be a responsible party when specific tasks of the pension fund are transferred, for example if it takes care of the relationship with the insured persons and in this context independent decisions meets. Therefore, the agreed contractual relationships with regard to the division of tasks and the specific circumstances must always be taken into account in this context.
This information addresses the specific circumstances of the individual case as required by the criteria for distinguishing between controllers and processors. This also means that a certain amount of leeway remains. This is because the roles generally also depend on how the contract is drafted, as this also determines what autonomy the service provider effectively has. Ultimately, determining the roles remains a difficult art – here, but also, for example, in real estate management (where practice often assumes joint responsibility), or in the refinancing of mortgages or securitizations and in various other constellations.
The FDPIC’s guidance does not address the questions of the conditions under which a joint responsibility is present and what happens in the case of Dual governing body applies, i.e. if a person holds a management position both on the Board of Trustees of the pension fund and with the managing director.