D-02-01

From 1 January 2025, banks, insurance companies and financial market infrastructures will have to report cyber attacks to the Federal Office for Cyber Security (FOCS) within 24 hours. The Federal Council has just put out to consultation the draft ordinance that implements art. 74a ff of the Federal Act on Information Security (obligation to report cyber attacks). As we explained earlier (see Hirsch, cdbf.ch/1261), banks will now have to inform the OFCS in the event of a cyber attack. The[...]

Obtaining the relevant extracts from the database needed to assess FINMA's guarantees of irreproachable activity (formerly Watchlist) is a real crossroads for an employee who has temporarily given up exercising an activity subject to FINMA. The Federal Administrative Court (FAT) has confirmed that art. 8 aLPD (now art. 25 LPD) does not allow access to the documents that justified inclusion on the Watchlist to the same extent as in a genuine procedure on the merits to determine whether an individual[...]

The right of access under the DPA is abused when a person invokes it against a family office to obtain information concerning a trust and the financial situation of his father (ACJC/1610/2023). A very wealthy Italian businessman has a family office in Geneva, which performs various services for his daughter. Payments to her were made from the father's account. The father tells the family office that his daughter has a budget limit of EUR 100,000 per month. The daughter receives[...]

Even if the company carrying out the credit scoring is not the company that ultimately decides whether to grant a loan, it takes an automated individual decision and must therefore inform the data subject (CJEU ruling of December 7, 2023 in case C-634/21, SCHUFA Holding AG). Following the refusal of a loan by a bank, a German national requested various items of information from SCHUFA, the leading German company for credit checks. The refusal of the loan was justified on[...]