An abuse of rights against the family office

(Translated by DeepL)

The right of access under the DPA is abused when a person invokes it against a family office to obtain information concerning a trust and the financial situation of his father (ACJC/1610/2023).

A very wealthy Italian businessman has a family office in Geneva, which performs various services for his daughter. Payments to her were made from the father’s account. The father tells the family office that his daughter has a budget limit of EUR 100,000 per month. The daughter receives a monthly summary of the payments ordered, broken down by category. However, the information relating to her father’s bank account is blacked out.

The father then set up a trust, of which his daughter was the beneficiary for a certain period. The intention was for the trust to pay his daughter’s expenses, but in the end this was not implemented. As a result of his daughter’s spendthrift behaviour and proceedings she had brought against her two sisters, the father decided to cease all contact with her and block all payments to her.

The daughter then applied to the family office for full access to her file on the basis of art. 8 DPA. After receiving certain information, she claimed that not all the documents had been sent to her. She then received more than 6,000 e-mails to and from her.

Dissatisfied, she applied to the Court of First Instance of the Canton of Geneva for a right of access. She wished to obtain financial and tax information, in particular about the trust of which she was a beneficiary and the source of the funds used to pay her bills.

The Court found that the request was improper. It was not motivated by data protection considerations, but solely to obtain financial information about the father and sister with whom the daughter was in dispute. In addition, the family office had already produced all the daughter’s personal data. The daughter challenged the ruling before the Court of Justice.

Underart. 8 aLPD (which was still in force at the time of the first instance judgment), any person may ask the controller of a data file whether data relating to him or her is being processed (para. 1). The controller of the data file must inform the person concerned of all the data concerning him or her contained in the file, including any available information on the origin of the data (paragraph 2(a)), as well as the purpose and any legal basis for the processing, the categories of personal data processed, the participants in the file and the recipients of the data (paragraph 2(b)).

The Court of Justice recalls the limits of the right of access, as set out by the Federal Court inATF 138 III 425 (cf. Fischer in cdbf.ch/821/), ATF 141 III 119 (cf. Richa in cdbf.ch/927) and ATF 147 III 139 (cf. Fischer in cdbf.ch/1200/). To sum up, if the request for access is intended to gather evidence for legal proceedings, it may be considered abusive (art. 2 para. 2 CC).

Furthermore, access to personal data does not allow data concerning third parties to be obtained. The debtor of the right of access must organise himself and take the necessary security measures (sorting the data, redacting names or other data) to prevent the applicant from having access to third-party data (in particular third-party data covered by official or professional secrecy).

In this case, the family office not only provided numerous documents, including more than 6,000 e-mails, but also the contact details of people who could provide the daughter with information on these issues. In addition, the family office could not pass on the father’s bank details. It had therefore rightly transmitted only monthly statements, which included the daughter’s personal details, but not those of the father.

In any event, the Court found the daughter’s request to be abusive. In fact, the sole purpose of her request was to obtain information about the trust of which she was no longer a beneficiary and about her father’s financial situation. Such a purpose is alien to the interests protected by the DPA.

The Court therefore dismissed the daughter’s appeal.

This judgment follows the trend in recent case law, which increasingly accepts that a request for a right of access may be abused (in addition to the above-mentioned ATF 147 III 139, see 4A_277/2020, commented on in Hirsch, swissprivacy.law/45/ and ACJC/562/2022, commented on in Hirsch, cdbf.ch/1243). In this case, not only was the request aimed at obtaining evidence for other proceedings, but it also appeared to be particularly broad. In addition, the family office had already provided the applicant with a great deal of information. These factors probably contributed to the finding that the request for access based on the DPA was unreasonable.

The entry into force of the new DPA in September 2023 (after the contested judgment) does not alter the situation. The legislator has expressly provided (1) that the right of access relates only to “personal data processed as such” (art. 25 para. 2 let. b DPA) and (2) that it may be refused if it “pursues a purpose contrary to data protection”, such as obtaining evidence that is normally inaccessible (art. 26 para. 1 let. c DPA).