Data protection – current developments

Classification¹

Initial Situation

For all financial institutions that process personal data, and thus realistically for all companies in this sector, the implementation of the revised Data Protection Act has involved and continues to involve considerable effort. The scope of the necessary measures depends on the individual risk profile and risk appetite of the financial institution. With regard to the latter, the introduction of the new data protection legislation has led to a tendency towards more risk-averse behavior among a large number of institutions.

From a (data protection) supervisory perspective, the press release regarding the publication of the annual activity report by the FDPIC earlier this year attracted considerable attention, especially when compared to the previous year. In 2024, the focus of this press release was on digital transformation. In 2025, however, a clear shift in emphasis emerged: the spotlight was now on increased intervention against legal violations. 

The recently published FINMA Risk Monitor 2025 does not directly mention data protection as one of the main risks. However, the management of the risks "outsourcing", "cyber" and " Information and Communication Technology “ICT " must take data protection requirements into account. 

Finally, data protection principles and regulations equally apply to the use of artificial intelligence ( AI ), which at the very least requires an in-depth understanding of how it operates. 

FDPIC: Increased supervision and trends

The 2024/2025 activity report (Tätigkeitsbericht) highlights an intensification of data protection supervision. With over 1,000 newly registered data protection cases, including more than 360 reports of data security breaches, a significant increase compared to the previous year can be noted. The FDPIC responded with over 100 interventions and the initiation of several formal investigations. Equally noteworthy is the FDPIC’s practice of publishing rulings and the names of affected organisations on its website. This approach entails considerable reputational risks for those affected. 

The FDPIC also makes it clear that, in practice, uncertainties persist and data protection requirements are often not fully complied with. The following two examples illustrate the risks that may (also) arise for financial institutions and how, for instance,  organisational measures, can mitigate these risks: 

• Reporting data security breaches
  Data security breaches must be reported to the FDPIC if there is a high risk to the privacy or fundamental rights of the persons concerned. Data subjects must be informed, for example, if this is necessary for their protection. According to the activity report, there uncertainty exists regarding the terms "high risk" and "vulnerability", which require that data subjects be informed. Failure to inform the persons concerned had consequences in two cases in which investigations were opened against institutions. In order to provide those responsible with greater clarity in the performance of their duties, the FDPIC has published guidelines⁴ on how to deal with data security breaches.
  
  
• Right to information
  The activity report then points out that in some cases the right to information under data protection law was not properly implemented. In several cases, requests for information were not answered or only general references to the data protection guidelines were provided. The FDPIC called for responding to information requests and that measures be taken to ensure that the right to information is handled in accordance with the law.  

There are deadlines to be observed for any notifications that may be necessary due to a data security breach, as well as for responding to requests for information. Both areas have in common that the assessment usually requires specialised technical and data protection knowledge and involve several internal functions in the assessment (e.g. whether a data protection breach poses a high risk in an individual case) and decision-making. In more complex cases in particular, external experts may need to be consulted. 

If a financial institution wants to prepare for such incidents, the relevant processes and responsibilities must be defined and communicated in advance. In particular, it should be ensured that a centralised and qualified body is responsible for coordination.

FINMA Risk Monitor 2025: Extended areas of supervision

The current FINMA Risk Monitor 2025 identifies several operational risks as major risks. The following section explains two of these risks, which are relevant to all financial institutions and have a data protection nexus, and outlines possible recommendations for action. 

• Outsourcing:
  FINMA has observed a steady increase in the outsourcing of critical functions by financial institutions to third parties. This poses risks both for individual institutions as well as for the financial market as a whole. At the institutional level, one example is ensuring the information security of the third party. At the financial market level, FINMA highlights, for example, the strong dependence on a small number of cloud service providers, which can lead to significant cluster risks. FINMA is responding by tightening its supervisory practices: it is conducting more on-site inspections not only of supervised entities but also of their service providers.
  
  Outsourcing is not primarily a data protection issue, but requires special attention from a data protection perspective, whereby outsourcings classified as non-essential must be treated as well as essential outsourcings. A thorough understanding is required of whether personal data is being "outsourced", how this is done, where it is processed, what technical and organisational measures are in place, etc. In particular, reporting obligations of the outsourcing partner, e.g. in the event of a data security breach, must be defined and it must be ensured, for example, that information of any breaches is obtained in good time.
  
  
• Cyber risks:
  An increase in the number of cyberattacks reported was observed in the past reporting period. Around 47% of the cyberattacks reported in the past reporting period were cyberattacks on third parties. FINMA expects these attacks to continue to increase and is responding to, and monitoring cyber risk through targeted on-site inspections and other measures. FINMA has also published audit points for fund management companies and collective asset managers on the management of cyber risks.
  
  Financial institutions primarily mititgate cyber risks through an information security framework, complemented by technical and organisational measures. In addition, appropriate training and awareness-raising among employees are now standard practice, and their importance will continue to grow due to technical advances in certain types of cyber attacks, such as phishing. Cybercriminals may deliberately target personal data. As already noted in the discussion of the activity  report, data security breaches, such as typically the case in cyberattacks, are,  under certain circumstances, subject to mandatory reporting. The boundaries between information security and data protection are fluid, and close coordination between these two disciplines is essential. 

Artificial intelligence

The use of programmes and applications commonly referred to as "AI – artificial intelligence" is on the rise and offers undeniable advantages. When personal data is processed using AI, the same data protection principles and regulations must be observed as when personal data is processed manually. Before processing personal data with AI or granting AI access to personal data, it must be clarified whether all data protection requirements can be met. In particular, consideration must be given to which external parties may be involved in the processing process and/or whether the AI in question can actually be fully controlled. The financial institution must then be clear about what personal data is being processed, how the AI processes this data, where it is stored, whether decisions are made, etc. In other words, it is necessary to know how the AI works. As a result, appropriate measures must be defined to mitigate risks. This may require a variety of things, such as contractual coverage, adjustments to the privacy policy and/or consents, technical measures, internal training, etc.   

Conclusion

Data protection issues require constant attention and ongoing review of the measures taken. Data protection is not an isolated compliance issue; there are various interfaces with other risks, and its implementation must therefore be holistic. This fundamentally requires cooperation between different functions. If the undisputed advantages of "AI" are to be exploited, it must then be considered whether personal data is processed by "AI" and appropriate measures must be taken accordingly.

¹ _{This is a highly simplified presentation intended to enable a quick initial assessment of the topic. Each institution should determine the relevance and specific need for action on an individual basis.}
² _{The necessity of implementation measures must be distinguished from relevance. As this is not a new topic, most institutions will already have a system in place.}  
³ _{The relevance is also considered to be high for asset managers of collective assets who also offer individual asset management services.}
⁴ _{FDPIC guidelines on reporting data breaches and informing data subjects in accordance with Art. 24 DSG.}