The FDPIC has published infor­ma­ti­on on his web­site at FAQ → Insu­rance com­pa­nies on the que­sti­on of whe­ther a ser­vice com­pa­ny to which a pen­si­on fund trans­fers part or all of its assets should be allo­wed to pro­vi­de ser­vices. trans­fer­red to the ope­ra­ting busi­ness is a data pro­ces­sor or a data controller.

The data pro­tec­tion role of the mana­ging direc­tor of a pen­si­on fund – this can be a pen­si­on fund, an invest­ment foun­da­ti­on or a vested bene­fits foun­da­ti­on – has been the sub­ject of long and inten­si­ve debate:

  • The Swiss Pen­si­on Fund Asso­cia­ti­on ASIP had taken the view in tech­ni­cal com­mu­ni­ca­ti­on no. 131 “Gui­dance on the imple­men­ta­ti­on of the new DPA” dated Octo­ber 20, 2022 that “[h]ad the CA out­sour­ced its admi­ni­stra­ti­on to a third par­ty, the data pro­ce­s­sing is car­ri­ed out by the admi­ni­stra­ti­on (as pro­ces­sor) on behalf of the CA”.
  • Pro­ba­b­ly becau­se of this state­ment, cer­tain Ser­vice pro­vi­ders in the mar­ket also take the view that they always and neces­s­a­ri­ly act as pro­ces­sors when mana­ging pen­si­on funds.
  • Howe­ver, it is gene­ral­ly reco­gnized that not all ser­vice pro­vi­ders are also pro­ces­sors The decisi­ve fac­tor is whe­ther they actual­ly deci­de on the pur­po­ses and means of pro­ce­s­sing or whe­ther they are not given this free­dom. At least in the case of com­pre­hen­si­ve out­sour­cing of manage­ment, it is dif­fi­cult to justi­fy not lea­ving the frame­work of order pro­ce­s­sing. For this rea­son, the pre­do­mi­nant view was pro­ba­b­ly to clas­si­fy the mana­ging direc­tors of CEs not as order pro­ces­sors as a rule, but as – sole­ly or joint­ly – con­trol­lers (we have taken this view, as have, for exam­p­le, the Ger­man Fede­ral Data Pro­tec­tion Aut­ho­ri­ty). David Rosen­thal).

In the Acti­vi­ty report 2023/2024 then recorded,

In prac­ti­ce, pen­si­on funds some­ti­mes trans­fer part or all of their busi­ness ope­ra­ti­ons to an exter­nal com­pa­ny. Such ser­vice com­pa­nies act on behalf of the employee bene­fits insti­tu­ti­on and act as Order data pro­ces­sor within the mea­ning of Art. 9 FADP.

In the infor­ma­ti­on published on Decem­ber 11, 2024, the FDPIC right­ly dif­fe­ren­tia­tes as follows:

Pen­si­on funds, which are gene­ral­ly orga­ni­zed as foun­da­ti­ons, are obli­ged to pro­vi­de man­da­to­ry occu­pa­tio­nal pen­si­on insu­rance. In prac­ti­ce, pen­si­on funds some­ti­mes trans­fer part or all of their busi­ness ope­ra­ti­ons to an exter­nal com­pa­ny. In terms of their role and qua­li­fi­ca­ti­on under data pro­tec­tion law, such ser­vice com­pa­nies can Depen­ding on the con­stel­la­ti­on, eit­her as a pro­ces­sor or as a con­trol­ler occur.

For cases in which only cer­tain ope­ra­tio­nal acti­vi­ties and the employee bene­fits insti­tu­ti­on remains signi­fi­cant­ly invol­ved in the pro­cess, the form of the Order pro­ce­s­sing be appli­ca­ble. In con­stel­la­ti­ons in which the trans­fer is more com­pre­hen­si­ve and affects not only indi­vi­du­al ope­ra­ti­ons or data pro­ce­s­sing, but also the auto­no­mous ful­fill­ment of occu­pa­tio­nal pen­si­on tasks, the Ser­vice com­pa­ny a respon­si­ble per­son repre­sent. This is par­ti­cu­lar­ly the case if the ser­vice com­pa­ny takes over the manage­ment of the pen­si­on fund or actual­ly deci­des with grea­ter auto­no­my. The ser­vice com­pa­ny can also be a respon­si­ble par­ty when spe­ci­fic tasks of the pen­si­on fund are trans­fer­red, for exam­p­le if it takes care of the rela­ti­on­ship with the insu­red per­sons and in this con­text inde­pen­dent decis­i­ons meets. The­r­e­fo­re, the agreed con­trac­tu­al rela­ti­on­ships with regard to the divi­si­on of tasks and the spe­ci­fic cir­cum­stances must always be taken into account in this context.

This infor­ma­ti­on addres­ses the spe­ci­fic cir­cum­stances of the indi­vi­du­al case as requi­red by the cri­te­ria for distin­gu­is­hing bet­ween con­trol­lers and pro­ces­sors. This also means that a cer­tain amount of lee­way remains. This is becau­se the roles gene­ral­ly also depend on how the con­tract is draf­ted, as this also deter­mi­nes what auto­no­my the ser­vice pro­vi­der effec­tively has. Ulti­m­ate­ly, deter­mi­ning the roles remains a dif­fi­cult art – here, but also, for exam­p­le, in real estate manage­ment (whe­re prac­ti­ce often assu­mes joint respon­si­bi­li­ty), or in the refi­nan­cing of mor­tga­ges or secu­ri­tizati­ons and in various other constellations.

The FDPIC’s gui­dance does not address the que­sti­ons of the con­di­ti­ons under which a joint respon­si­bi­li­ty is pre­sent and what hap­pens in the case of Dual gover­ning body applies, i.e. if a per­son holds a manage­ment posi­ti­on both on the Board of Tru­s­tees of the pen­si­on fund and with the mana­ging director.